The sort()
query function is used to sort events
based on a given field — or fields. Events can be sorted by multiple
fields by setting the field parameter to an array of field names (for
example, between square-brackets in a comma-separated list). Likewise, the
order and type of each field can be specified by setting the
order
and
type
parameters to arrays.
Parameter | Type | Required | Default Value | Description |
---|---|---|---|---|
field [a] | array of strings | optional[b] | _count | The fields by which to sort events. |
limit | integer | optional[b] | 200 | The maximum number of events included in results. |
Maximum | 20,000 | The default maximum limit is not static and can be changed by setting
the StateRowLimit
dynamic configuration. | ||
order | array of strings | optional[b] | desc | The order in which to sort. |
Valid Values | ||||
asc | Sort ascending | |||
desc | Sort descending | |||
reverse (deprecated) | boolean | optional[b] | false | Whether to sort in descending order. This parameter is deprecated: use order instead. (deprecated in 1.100.0) |
Valid Values | ||||
false | Sort ascending | |||
true | Sort descending | |||
type | array of strings | optional[b] | number | Set the data type of the fields to influence the sorting order. |
Valid Values | ||||
any | Any fields. (removed in 1.142.0) | |||
hex | Treat the field as a hexadecimal value and sort in numerical order | |||
number | Treat the field as numerical and sort in numerical order | |||
string | Treat the field as string values and sort alphabetical | |||
[b] Optional parameters use their default value unless explicitly set. |
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
field
can be omitted; the following forms of this function are equivalent:logscale Syntaxsort(["value"])
and:
logscale Syntaxsort(field=["value"])
These examples show basic structure only.
If the order
or
type
parameter is a single
value, all fields are sorted with the same order or type.
Setting the type
field tells
sort()
how to compare the individual values, either
using lexicographical order (for example,
string
), numerical magnitude (for
example, number
,
hex
). The
hex
argument supports numbers as
strings starting with either 0x
,
0X
, or no prefix.
Warning
Sorting is performed in memory. For optimum performance avoid sorting
large numbers of events. Perform filtering first and sort the results,
or use aggregation to simplify the event list before sorting. Putting
sort()
last in a query, after an aggregating
function will offer the best performance.
sort()
Examples
As an example, suppose you have LogScale ingesting data from a
web server and want to get a list of referring domains and sub-domains.
That is to say, the URLs without the path and web page from which it
came (for example, just www.example.com
from
http://www.example.com/sales/great-sites.html
).
Suppose further that you want a count of each referrer and want to sort
them alphabetically in reverse order — because we're fickle like
that. Below is an example of how that might be done:
regex(regex="/.*/(?<ref_url>.+?)(/
| $)", field=referrer)
| groupby(ref_url)
| sort(ref_url, type=string, order=desc, limit=12)
In the first line here, we're using the regex()
function to extract just the first part of the URL, dropping everything
after the domain and first slash. On the second line we're using
groupBy()
to group on each referrer (for example,
ref_url
) and counting them. If we hadn't
stripped out the base URL from the first line, we might have multiple
entries for each domain. See the regex()
and
groupBy()
reference pages for more information on
those query functions.
In the third line of the query above, notice the parameters for the
sort()
function. First is the new field
ref_url we created in the first
line, then type
parameter to
specify the values sorted may include characters or numbers. The second
is how to order the results: in this case, in descending order. Last is
the limit
parameter to limit
the results to the first twelve in the sorted list of results. The table
below shows the results.
ref_url | _count |
---|---|
www.zabotkin.ru | 14 |
www.tangblog.top | 1 |
www.skidn.com | 1 |
www.klfd.net | 1 |
www.iopt.pro | 42 |
www.google.com.au | 1 |
www.google.com | 11 |
www.bing.com | 3 |
To sort events by ascending or descending value, use the
order
parameter, for example:
groupby(ref_url)
| sort(ref_url, type=string, order=asc, limit=12)
The output has been ordered using a string based (for example, alphabetical) sorting method.
The limit
parameter to
sort()
limits the number of rows returned by the
function after the sort has been completed. For example, to sort metrics
by the repository name and then output the top entry:
name=datasource-count
|groupBy([repo])
|sort(field=_count,type=number,order=desc,limit=1)
The above query works by sorting the grouped counts (in the
_count field), explicitly
setting the type to number
and then
sorting by high to lowest (descending order).
To sort events by ascending or descending value, use the
order
parameter, for example:
groupby(ref_url)
| sort(ref_url, type=string, order=desc, limit=12)
When using multiple fields, supply a corresponding array to
order
parameter as the
field
parameter, for example:
groupby([ref_url,method])
| sort([ref_url,method], type=string, order=[desc,asc], limit=12)