The sort()
query function is used to sorts events
based on a given field — or fields. Events can be sorted by multiple
fields by setting the field parameter to an array of field names (i.e.,
between square-brackets in a comma-separated list). Likewise, the order
and type of each field can be specified by setting the
order
and
type
parameters to arrays.
Parameter | Type | Required | Default | Description | |
---|---|---|---|---|---|
field [a] | Array of strings | optional[b] | _count | The fields by which to sort events. | |
limit | integer | optional[b] | 200 | The maximum number of events included in results. | |
Maximum | 20,000 | The default maximum limit is not static and can be changed by setting
the StateRowLimit
dynamic configuration. | |||
order | Array of strings | optional[b] | desc | The order in which to sort. | |
Valid Values | |||||
asc | Sort ascending | ||||
desc | Sort descending | ||||
reverse (deprecated) | boolean | optional[b] | false | Whether to sort in descending order. This parameter is deprecated: use order instead. (deprecated in 1.100.0) | |
Valid Values | |||||
false | Sort ascending | ||||
true | Sort descending | ||||
type | Array of strings | optional[b] | number | Set the data type of the fields to influence the sorting order. | |
Valid Values | |||||
hex | Treat the field as a hexadecimal value and sort in numerical order | ||||
number | Treat the field as numerical and sort in numerical order | ||||
string | Treat the field as string values and sort alphabetical | ||||
[b] Optional parameters use their default value unless explicitly set. |
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
field
can be omitted; the following forms of this function are equivalent:logscalesort("field")
and:
logscalesort(field="field")
These examples show basic structure only.
If the order
or
type
parameter is a single
value, all fields are sorted with the same order or type.
Setting the type
field tells
sort()
how to compare the individual values, either
using lexicographical order (i.e.,
string
), numerical magnitude
(i.e., number
,
hex
), or automatically based on
the first value it finds (i.e., any
).
The hex
argument supports numbers
as strings starting with either 0x
,
0X
, or no prefix.
Warning
Sorting is performed in memory. For optimum performance avoid sorting
large numbers of events. Perform filtering first and sort the results,
or use aggregation to simplify the event list before sorting. Putting
sort()
last in a query, after an aggregating
function will offer the best performance.
sort()
Examples
As an example, suppose you have LogScale ingesting data from a web
server and want to get a list of referring domains and sub-domains. That
is to say, the URLs without the path and web page from which it came
(e.g., just www.example.com
from
http://www.example.com/sales/great-sites.html
).
Suppose further that you want a count of each referrer and want to sort
them alphabetically in reverse order — because we're fickle like
that. Below is an example of how that might be done:
regex(regex="/.*/(?<ref_url>.+?)(/
| $)", field=referrer)
| groupby(ref_url)
| sort(ref_url, type=string, order=desc, limit=12)
In the first line here, we're using the regex()
function to extract just the first part of the URL, dropping everything
after the domain and first slash. On the second line we're using
groupBy()
to group on each referrer (i.e.,
ref_url
) and counting them. If we hadn't
stripped out the base URL from the first line, we might have multiple
entries for each domain. See the regex()
and
groupBy()
reference pages for more information on
those query functions.
In the third line of the query above, notice the parameters for the
sort()
function. First is the new field
ref_url we created in the first
line, then type
parameter to
specify the values sorted may include characters or numbers. The second
is how to order the results: in this case, in descending order. Last is
the limit
parameter to limit
the results to the first twelve in the sorted list of results. The table
below shows the results.
ref_url | _count |
---|---|
www.zabotkin.ru | 14 |
www.tangblog.top | 1 |
www.skidn.com | 1 |
www.klfd.net | 1 |
www.iopt.pro | 42 |
www.google.com.au | 1 |
www.google.com | 11 |
www.bing.com | 3 |
To sort events by ascending or descending value, use the
order
parameter, for example:
groupby(ref_url)
| sort(ref_url, type=string, order=asc, limit=12)
The output has been ordered using a string based (i.e. alphabetical) sorting method.
The limit
parameter to
sort()
limits the number of rows returned by the
function after the sort has been completed. For example, to sort metrics
by the repository name and then output the top entry:
name=datasource-count
|groupBy([repo])
|sort(field=_count,type=number,order=desc,limit=1)
The above query works by sorting the grouped counts (in the
_count field), explicitly setting the type to
number
and then sorting by high to lowest (descending
order).
To sort events by ascending or descending value, use the
order
parameter, for example:
groupby(ref_url)
| sort(ref_url, type=string, order=desc, limit=12)
When using multiple fields, supply a corresponding array to
order
parameter as the
field
parameter, for example:
groupby([ref_url,method])
| sort([ref_url,method], type=string, order=[desc,asc], limit=12)