elastic
diff --git a/‎x-pack/plugins/security_solution/common/search_strategy/security_solution/matrix_histogram/events/index.ts‎
Lines changed: 1 addition & 0 deletions b/‎x-pack/plugins/security_solution/common/search_strategy/security_solution/matrix_histogram/events/index.ts‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎x-pack/plugins/security_solution/common/search_strategy/timeline/index.ts‎
Lines changed: 1 addition & 1 deletion b/‎x-pack/plugins/security_solution/common/search_strategy/timeline/index.ts‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎x-pack/plugins/security_solution/common/types/timeline/index.ts‎
Lines changed: 6 additions & 1 deletion b/‎x-pack/plugins/security_solution/common/types/timeline/index.ts‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎x-pack/plugins/security_solution/cypress/integration/events_viewer.spec.ts‎
Lines changed: 2 additions & 2 deletions b/‎x-pack/plugins/security_solution/cypress/integration/events_viewer.spec.ts‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎x-pack/plugins/security_solution/cypress/test_files/expected_timelines_export.ndjson‎
Lines changed: 1 addition & 1 deletion b/‎x-pack/plugins/security_solution/cypress/test_files/expected_timelines_export.ndjson‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎x-pack/plugins/security_solution/public/common/components/drag_and_drop/draggable_wrapper_hover_content.tsx‎
Lines changed: 2 additions & 2 deletions b/‎x-pack/plugins/security_solution/public/common/components/drag_and_drop/draggable_wrapper_hover_content.tsx‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎x-pack/plugins/security_solution/public/common/components/events_viewer/events_viewer.test.tsx‎
Lines changed: 6 additions & 4 deletions b/‎x-pack/plugins/security_solution/public/common/components/events_viewer/events_viewer.test.tsx‎
Lines changed: 6 additions & 4 deletions
diff --git a/‎x-pack/plugins/security_solution/public/common/components/events_viewer/events_viewer.tsx‎
Lines changed: 8 additions & 7 deletions b/‎x-pack/plugins/security_solution/public/common/components/events_viewer/events_viewer.tsx‎
Lines changed: 8 additions & 7 deletions
diff --git a/‎x-pack/plugins/security_solution/public/common/mock/global_state.ts‎
Lines changed: 1 addition & 1 deletion b/‎x-pack/plugins/security_solution/public/common/mock/global_state.ts‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎x-pack/plugins/security_solution/public/common/mock/timeline_results.ts‎
Lines changed: 8 additions & 6 deletions b/‎x-pack/plugins/security_solution/public/common/mock/timeline_results.ts‎
Lines changed: 8 additions & 6 deletions
@@ -28,6 +28,7 @@ export interface EventsActionGroupData {
 export interface EventHit extends SearchHit {
   sort: string[];
   _source: EventSource;
+  fields: Record<string, unknown[]>;
   aggregations: {
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
     [agg: string]: any;
 
@@ -31,7 +31,7 @@ export interface TimelineRequestBasicOptions extends IEsSearchRequest {
 export interface TimelineRequestOptionsPaginated<Field = string>
   extends TimelineRequestBasicOptions {
   pagination: Pick<PaginationInputPaginated, 'activePage' | 'querySize'>;
-  sort: SortField<Field>;
+  sort: Array<SortField<Field>>;
 }
 
 export type TimelineStrategyResponseType<
 
@@ -143,10 +143,15 @@ const SavedFavoriteRuntimeType = runtimeTypes.partial({
 /*
  *  Sort Types
  */
-const SavedSortRuntimeType = runtimeTypes.partial({
+
+const SavedSortObject = runtimeTypes.partial({
   columnId: unionWithNullType(runtimeTypes.string),
   sortDirection: unionWithNullType(runtimeTypes.string),
 });
+const SavedSortRuntimeType = runtimeTypes.union([
+  runtimeTypes.array(SavedSortObject),
+  SavedSortObject,
+]);
 
 /*
  *  Timeline Statuses
 
@@ -157,9 +157,9 @@ describe('Events Viewer', () => {
 
     it('re-orders columns via drag and drop', () => {
       const originalColumnOrder =
-        '@timestampmessagehost.nameevent.moduleevent.datasetevent.actionuser.namesource.ipdestination.ip';
+        '@timestamp1messagehost.nameevent.moduleevent.datasetevent.actionuser.namesource.ipdestination.ip';
       const expectedOrderAfterDragAndDrop =
-        'message@timestamphost.nameevent.moduleevent.datasetevent.actionuser.namesource.ipdestination.ip';
+        'message@timestamp1host.nameevent.moduleevent.datasetevent.actionuser.namesource.ipdestination.ip';
 
       cy.get(HEADERS_GROUP).invoke('text').should('equal', originalColumnOrder);
       dragAndDropColumn({ column: 0, newPosition: 0 });
 
@@ -1 +1 @@
-{"savedObjectId":"0162c130-78be-11ea-9718-118a926974a4","version":"WzcsMV0=","columns":[{"columnHeaderType":"not-filtered","id":"@timestamp"},{"columnHeaderType":"not-filtered","id":"message"},{"columnHeaderType":"not-filtered","id":"event.category"},{"columnHeaderType":"not-filtered","id":"event.action"},{"columnHeaderType":"not-filtered","id":"host.name"},{"columnHeaderType":"not-filtered","id":"source.ip"},{"columnHeaderType":"not-filtered","id":"destination.ip"},{"columnHeaderType":"not-filtered","id":"user.name"}],"created":1586256805054,"createdBy":"elastic","dataProviders":[],"dateRange":{"end":1586256837669,"start":1546343624710},"description":"description","eventType":"all","filters":[],"kqlMode":"filter","kqlQuery":{"filterQuery":{"kuery":{"expression":"host.name:*","kind":"kuery"},"serializedQuery":"{\"bool\":{\"should\":[{\"exists\":{\"field\":\"host.name\"}}],\"minimum_should_match\":1}}"}},"savedQueryId":null,"sort":{"columnId":"@timestamp","sortDirection":"desc"},"title":"SIEM test","updated":1586256839298,"updatedBy":"elastic","timelineType":"default","eventNotes":[],"globalNotes":[],"pinnedEventIds":[]}
+{"savedObjectId":"0162c130-78be-11ea-9718-118a926974a4","version":"WzcsMV0=","columns":[{"columnHeaderType":"not-filtered","id":"@timestamp"},{"columnHeaderType":"not-filtered","id":"message"},{"columnHeaderType":"not-filtered","id":"event.category"},{"columnHeaderType":"not-filtered","id":"event.action"},{"columnHeaderType":"not-filtered","id":"host.name"},{"columnHeaderType":"not-filtered","id":"source.ip"},{"columnHeaderType":"not-filtered","id":"destination.ip"},{"columnHeaderType":"not-filtered","id":"user.name"}],"created":1586256805054,"createdBy":"elastic","dataProviders":[],"dateRange":{"end":1586256837669,"start":1546343624710},"description":"description","eventType":"all","filters":[],"kqlMode":"filter","kqlQuery":{"filterQuery":{"kuery":{"expression":"host.name:*","kind":"kuery"},"serializedQuery":"{\"bool\":{\"should\":[{\"exists\":{\"field\":\"host.name\"}}],\"minimum_should_match\":1}}"}},"savedQueryId":null,"sort":[{"columnId":"@timestamp","sortDirection":"desc"}],"title":"SIEM test","updated":1586256839298,"updatedBy":"elastic","timelineType":"default","eventNotes":[],"globalNotes":[],"pinnedEventIds":[]}
@@ -19,7 +19,7 @@ import { allowTopN } from './helpers';
 import * as i18n from './translations';
 import { useManageTimeline } from '../../../timelines/components/manage_timeline';
 import { TimelineId } from '../../../../common/types/timeline';
-import { SELECTOR_TIMELINE_BODY_CLASS_NAME } from '../../../timelines/components/timeline/styles';
+import { SELECTOR_TIMELINE_GLOBAL_CONTAINER } from '../../../timelines/components/timeline/styles';
 import { SourcererScopeName } from '../../store/sourcerer/model';
 import { useSourcererScope } from '../../containers/sourcerer';
 
@@ -230,7 +230,7 @@ export const useGetTimelineId = function (
         if (
           myElem != null &&
           myElem.classList != null &&
-          myElem.classList.contains(SELECTOR_TIMELINE_BODY_CLASS_NAME) &&
+          myElem.classList.contains(SELECTOR_TIMELINE_GLOBAL_CONTAINER) &&
           myElem.hasAttribute('data-timeline-id')
         ) {
           setTimelineId(myElem.getAttribute('data-timeline-id'));
 
@@ -79,10 +79,12 @@ const eventsViewerDefaultProps = {
     language: 'kql',
   },
   start: from,
-  sort: {
-    columnId: 'foo',
-    sortDirection: 'none' as SortDirection,
-  },
+  sort: [
+    {
+      columnId: 'foo',
+      sortDirection: 'none' as SortDirection,
+    },
+  ],
   scopeId: SourcererScopeName.timeline,
   utilityBar,
 };
 
@@ -115,7 +115,7 @@ interface Props {
   query: Query;
   onRuleChange?: () => void;
   start: string;
-  sort: Sort;
+  sort: Sort[];
   utilityBar?: (refetch: inputsModel.Refetch, totalCount: number) => React.ReactNode;
   // If truthy, the graph viewer (Resolver) is showing
   graphEventId: string | undefined;
@@ -202,11 +202,12 @@ const EventsViewerComponent: React.FC<Props> = ({
   ]);
 
   const sortField = useMemo(
-    () => ({
-      field: sort.columnId,
-      direction: sort.sortDirection as Direction,
-    }),
-    [sort.columnId, sort.sortDirection]
+    () =>
+      sort.map(({ columnId, sortDirection }) => ({
+        field: columnId,
+        direction: sortDirection as Direction,
+      })),
+    [sort]
   );
 
   const [
@@ -341,7 +342,7 @@ export const EventsViewer = React.memo(
     prevProps.kqlMode === nextProps.kqlMode &&
     deepEqual(prevProps.query, nextProps.query) &&
     prevProps.start === nextProps.start &&
-    prevProps.sort === nextProps.sort &&
+    deepEqual(prevProps.sort, nextProps.sort) &&
     prevProps.utilityBar === nextProps.utilityBar &&
     prevProps.graphEventId === nextProps.graphEventId
 );
@@ -239,7 +239,7 @@ export const mockGlobalState: State = {
         pinnedEventIds: {},
         pinnedEventsSaveObject: {},
         itemsPerPageOptions: [5, 10, 20],
-        sort: { columnId: '@timestamp', sortDirection: Direction.desc },
+        sort: [{ columnId: '@timestamp', sortDirection: Direction.desc }],
         isSaving: false,
         version: null,
         status: TimelineStatus.active,
 
@@ -2142,10 +2142,12 @@ export const mockTimelineModel: TimelineModel = {
   selectedEventIds: {},
   show: false,
   showCheckboxes: false,
-  sort: {
-    columnId: '@timestamp',
-    sortDirection: Direction.desc,
-  },
+  sort: [
+    {
+      columnId: '@timestamp',
+      sortDirection: Direction.desc,
+    },
+  ],
   status: TimelineStatus.active,
   title: 'Test rule',
   timelineType: TimelineType.default,
@@ -2177,7 +2179,7 @@ export const mockTimelineResult: TimelineResult = {
   templateTimelineId: null,
   templateTimelineVersion: null,
   savedQueryId: null,
-  sort: { columnId: '@timestamp', sortDirection: 'desc' },
+  sort: [{ columnId: '@timestamp', sortDirection: 'desc' }],
   version: '1',
 };
 
@@ -2247,7 +2249,7 @@ export const defaultTimelineProps: CreateTimelineProps = {
     selectedEventIds: {},
     show: false,
     showCheckboxes: false,
-    sort: { columnId: '@timestamp', sortDirection: Direction.desc },
+    sort: [{ columnId: '@timestamp', sortDirection: Direction.desc }],
     status: TimelineStatus.draft,
     title: '',
     timelineType: TimelineType.default,
Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,7 @@ export interface TimelineRequestBasicOptions extends IEsSearchRequest {`
`31`	`31`	`export interface TimelineRequestOptionsPaginated<Field = string>`
`32`	`32`	`extends TimelineRequestBasicOptions {`
`33`	`33`	`pagination: Pick<PaginationInputPaginated, 'activePage' \| 'querySize'>;`
`34`		`- sort: SortField<Field>;`
	`34`	`+ sort: Array<SortField<Field>>;`
`35`	`35`	`}`
`36`	`36`
`37`	`37`	`export type TimelineStrategyResponseType<`
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		-{"savedObjectId":"0162c130-78be-11ea-9718-118a926974a4","version":"WzcsMV0=","columns":[{"columnHeaderType":"not-filtered","id":"@timestamp"},{"columnHeaderType":"not-filtered","id":"message"},{"columnHeaderType":"not-filtered","id":"event.category"},{"columnHeaderType":"not-filtered","id":"event.action"},{"columnHeaderType":"not-filtered","id":"host.name"},{"columnHeaderType":"not-filtered","id":"source.ip"},{"columnHeaderType":"not-filtered","id":"destination.ip"},{"columnHeaderType":"not-filtered","id":"user.name"}],"created":1586256805054,"createdBy":"elastic","dataProviders":[],"dateRange":{"end":1586256837669,"start":1546343624710},"description":"description","eventType":"all","filters":[],"kqlMode":"filter","kqlQuery":{"filterQuery":{"kuery":{"expression":"host.name:*","kind":"kuery"},"serializedQuery":"{\"bool\":{\"should\":[{\"exists\":{\"field\":\"host.name\"}}],\"minimum_should_match\":1}}"}},"savedQueryId":null,"sort":{"columnId":"@timestamp","sortDirection":"desc"},"title":"SIEM test","updated":1586256839298,"updatedBy":"elastic","timelineType":"default","eventNotes":[],"globalNotes":[],"pinnedEventIds":[]}
	`1`	+{"savedObjectId":"0162c130-78be-11ea-9718-118a926974a4","version":"WzcsMV0=","columns":[{"columnHeaderType":"not-filtered","id":"@timestamp"},{"columnHeaderType":"not-filtered","id":"message"},{"columnHeaderType":"not-filtered","id":"event.category"},{"columnHeaderType":"not-filtered","id":"event.action"},{"columnHeaderType":"not-filtered","id":"host.name"},{"columnHeaderType":"not-filtered","id":"source.ip"},{"columnHeaderType":"not-filtered","id":"destination.ip"},{"columnHeaderType":"not-filtered","id":"user.name"}],"created":1586256805054,"createdBy":"elastic","dataProviders":[],"dateRange":{"end":1586256837669,"start":1546343624710},"description":"description","eventType":"all","filters":[],"kqlMode":"filter","kqlQuery":{"filterQuery":{"kuery":{"expression":"host.name:*","kind":"kuery"},"serializedQuery":"{\"bool\":{\"should\":[{\"exists\":{\"field\":\"host.name\"}}],\"minimum_should_match\":1}}"}},"savedQueryId":null,"sort":[{"columnId":"@timestamp","sortDirection":"desc"}],"title":"SIEM test","updated":1586256839298,"updatedBy":"elastic","timelineType":"default","eventNotes":[],"globalNotes":[],"pinnedEventIds":[]}