Fix elastic#95258 - cardinality sort bug

madirey · Sep 8, 2021 · ee7ce2a · ee7ce2a
1 parent bb739d4
commit ee7ce2a
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/...security_solution/server/lib/detection_engine/signals/threshold/find_threshold_signals.ts b/...security_solution/server/lib/detection_engine/signals/threshold/find_threshold_signals.ts
@@ -89,6 +89,11 @@ export const findThresholdSignals = async ({
 
   const thresholdFields = threshold.field;
 
+  // order buckets by cardinality (https://github.com/elastic/kibana/issues/95258)
+  const orderByCardinality = threshold.cardinality?.length
+    ? { order: { cardinality_count: 'desc' } }
+    : {};
+
   // Generate a nested terms aggregation for each threshold grouping field provided, appending leaf
   // aggregations to 1) filter out buckets that don't meet the cardinality threshold, if provided, and
   // 2) return the latest hit for each bucket so that we can persist the timestamp of the event in the
@@ -104,6 +109,7 @@ export const findThresholdSignals = async ({
         set(acc, aggPath, {
           terms: {
             field,
+            ...orderByCardinality,
             min_doc_count: threshold.value, // not needed on parent agg, but can help narrow down result set
             size: 10000, // max 10k buckets
           },
@@ -121,6 +127,7 @@ export const findThresholdSignals = async ({
               source: '""', // Group everything in the same bucket
               lang: 'painless',
             },
+            ...orderByCardinality,
             min_doc_count: threshold.value,
           },
           aggs: leafAggs,