I made a search over two indexes (OR connected) and five sourcetypes (OR connected), limited the time to two days and received 26,300 events. Now I pipe this to a sort _time and suddenly only 10,000 of 26,300 events match?

What is wrong here? Since when does sorting filter results?

Example:

index="index-one" OR index="index-two" sourcetype="sourcetype-one" OR sourcetype="sourcetype-two" OR sourcetype="sourcetype-three" OR sourcetype="sourcetype-four" OR sourcetype="sourcetype-five" | sort _time