Sorts events by their fields.
Events can be sorted by multiple fields by setting the field parameter to an array of field names. Likewise, the order and type of each field can be specified by setting the order and type parameter to arrays. If the order or type parameter is a single value, all fields are sorted with the same order or type.
order and reverse cannot be specified at the same time.
Setting the type field tells sort how to compare the individual values, either using lexicographical order (strings), numerical magnitude (number, hex), or automatically based on the first value it finds (any). hex supports numbers as strings starting with either 0x , 0X or no prefix.
Warning: sorting is done in memory - so do not sort huge amounts of events. This is typically not a problem if the result has been aggregated. Typically sort is put last in the query after an aggregating function.
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| field | [string] | No | _count | Names of fields to sort by. |
| type | [string] | No | any | Type of the fields to sort. Can be any, string, number, or hex. |
| reverse | bool | No | Whether to sort in descending order. Deprecated: prefer order instead | |
| order | [string] | No | Order to sort in. Can be any prefix of ascending or descending. descending is default. | |
| limit | number | No | Limit result size. If no limit is specified a default limit of 200 is used |
field is the unnamed parameter.
Count the different http status codes for a webserver and sort them descending by their count
groupby(field=statuscode, function=count()) | sort(field=_count, type=number, order=desc)
Find the 50 slowest request from service A
service=my-service-a | sort(responsetime, limit=50)
Sort all results by statuscode, then by response_size within each status_code
#type=accesslog | sort([statuscode, response_size])