The sort()
query function is used to sort
events based on a given field — or fields. Events can be
sorted by multiple fields by setting the field parameter to an
array of field names (for example, between square-brackets in a
comma-separated list). Likewise, the order and type of each
field can be specified by setting the
order
and
type
parameters to
arrays.
Parameter | Type | Required | Default Value | Description |
---|---|---|---|---|
field [a] | array of strings | optional[b] | _count | The fields by which to sort events. |
limit | integer | optional[b] | 200 | The maximum number of events included in results. |
Maximum | 20,000 | The default maximum limit is not static and can be changed by setting
the StateRowLimit
dynamic configuration. | ||
order | array of strings | optional[b] | desc | The order in which to sort. |
Valid Values | ||||
asc | Sort ascending | |||
desc | Sort descending | |||
reverse (deprecated) | boolean | optional[b] | false | Whether to sort in descending order. This parameter is deprecated: use order instead. (deprecated in 1.100.0) |
Valid Values | ||||
false | Sort ascending | |||
true | Sort descending | |||
type | array of strings | optional[b] | number | Set the data type of the fields to influence the sorting order. |
Valid Values | ||||
any | Any fields. | |||
hex | Treat the field as a hexadecimal value and sort in numerical order | |||
number | Treat the field as numerical and sort in numerical order | |||
string | Treat the field as string values and sort alphabetical | |||
[b] Optional parameters use their default value unless explicitly set. |
If the order
or
type
parameter is a
single value, all fields are sorted with the same order or type.
Setting the type
field
tells sort()
how to compare the individual
values, either using lexicographical order (for example,
string
), numerical
magnitude (for example,
number
,
hex
). The
hex
argument supports
numbers as strings starting with either
0x
,
0X
, or no prefix.
Warning
Sorting is performed in memory. For optimum performance avoid
sorting large numbers of events. Perform filtering first and
sort the results, or use aggregation to simplify the event
list before sorting. Putting sort()
last
in a query, after an aggregating function will offer the best
performance.
sort()
Examples
As an example, suppose you have LogScale ingesting
data from a web server and want to get a list of referring
domains and sub-domains. That is to say, the URLs without the
path and web page from which it came (for example, just
www.example.com
from
http://www.example.com/sales/great-sites.html
).
Suppose further that you want a count of each referrer and
want to sort them alphabetically in reverse order —
because we're fickle like that. Below is an example of how
that might be done:
regex(regex="/.*/(?<ref_url>.+?)(/
| $)", field=referrer)
| groupBy(ref_url)
| sort(ref_url, type=string, order=desc, limit=12)
In the first line here, we're using the
regex()
function to extract just the
first part of the URL, dropping everything after the domain
and first slash. On the second line we're using
groupBy()
to group on each referrer (for
example, ref_url
) and counting
them. If we hadn't stripped out the base URL from the first
line, we might have multiple entries for each domain. See the
regex()
and
groupBy()
reference pages for more
information on those query functions.
In the third line of the query above, notice the parameters
for the sort()
function. First is the new
field ref_url we
created in the first line, then
type
parameter to
specify the values sorted may include characters or numbers.
The second is how to order the results: in this case, in
descending order. Last is the
limit
parameter to
limit the results to the first twelve in the sorted list of
results. The table below shows the results.
ref_url | _count |
---|---|
www.zabotkin.ru | 14 |
www.tangblog.top | 1 |
www.skidn.com | 1 |
www.klfd.net | 1 |
www.iopt.pro | 42 |
www.google.com.au | 1 |
www.google.com | 11 |
www.bing.com | 3 |
To sort events by ascending or descending value, use the
order
parameter, for
example:
groupBy(ref_url)
| sort(ref_url, type=string, order=asc, limit=12)
The output has been ordered using a string based (for example, alphabetical) sorting method.
The limit
parameter
to sort()
limits the number of rows
returned by the function after the sort has been completed.
For example, to sort metrics by the repository name and then
output the top entry:
name=datasource-count
|groupBy([repo])
|sort(field=_count,type=number,order=desc,limit=1)
The above query works by sorting the grouped counts (in the
_count field),
explicitly setting the type to
number
and then sorting by
high to lowest (descending order).
To sort events by ascending or descending value, use the
order
parameter, for
example:
groupBy(ref_url)
| sort(ref_url, type=string, order=desc, limit=12)
When using multiple fields, supply a corresponding array to
order
parameter as
the field
parameter,
for example:
groupBy([ref_url,method])
| sort([ref_url,method], type=string, order=[desc,asc], limit=12)