The sort() query function is used to sort
events based on a given field — or fields. Events can be
sorted by multiple fields by setting the field parameter to an
array of field names (for example, between square-brackets in a
comma-separated list). Likewise, the order and type of each
field can be specified by setting the
order and
type parameters to
arrays.
| Parameter | Type | Required | Default Value | Description |
|---|---|---|---|---|
field[a] | array of strings | optional[b] | The fields by which to sort events. | |
limit | integer | optional[b] | 200 | The argument given to this parameter determines the limit on the number of events included in the result of the function. The default argument is default. The maximum is controlled by the StateRowLimit dynamic configuration, which is StateRowLimit by default. If the argument is max (limit=max), then the value of StateRowLimit is used. |
order | array of strings | optional[b] | desc | The order in which to sort. |
| Values | ||||
asc | Sort ascending | |||
desc | Sort descending | |||
reverse (deprecated) | boolean | optional[b] | false | Whether to sort in descending order. This parameter is deprecated: use order instead. (deprecated in 1.100) |
| Values | ||||
false | Sort ascending | |||
true | Sort descending | |||
type | array of strings | optional[b] | number | Set the data type of the fields to influence the sorting order. |
| Values | ||||
any | Any fields. | |||
hex | Treat the field as a hexadecimal value and sort in numerical order | |||
number | Treat the field as numerical and sort in numerical order | |||
string | Treat the field as string values and sort alphabetical | |||
[b] Optional parameters use their default value unless explicitly set. | ||||
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
fieldcan be omitted; the following forms of this function are equivalent:logscale Syntaxsort(["value"])and:
logscale Syntaxsort(field=["value"])These examples show basic structure only.
If the order or
type parameter is a
single value, all fields are sorted with the same order or type.
Setting the type field
tells sort() how to compare the individual
values, either using lexicographical order (for example,
string), numerical
magnitude (for example,
number,
hex). The
hex argument supports
numbers as strings starting with either
0x,
0X, or no prefix.
Warning
Sorting is performed in memory. For optimum performance avoid
sorting large numbers of events. Perform filtering first and
sort the results, or use aggregation to simplify the event
list before sorting. Putting sort() last
in a query, after an aggregating function will offer the best
performance.
sort() Syntax Examples
As an example, suppose you have LogScale ingesting
data from a web server and want to get a list of referring
domains and sub-domains. That is to say, the URLs without the
path and web page from which it came (for example, just
www.example.com from
http://www.example.com/sales/great-sites.html).
Suppose further that you want a count of each referrer and
want to sort them alphabetically in reverse order —
because we're fickle like that. Below is an example of how
that might be done:
regex(regex="/.*/(?<ref_url>.+?)(/
| $)", field=referrer)
| groupBy(ref_url)
| sort(ref_url, type=string, order=desc, limit=12)
In the first line here, we're using the
regex() function to extract just the
first part of the URL, dropping everything after the domain
and first slash. On the second line we're using
groupBy() to group on each referrer (for
example, ref_url) and counting
them. If we hadn't stripped out the base URL from the first
line, we might have multiple entries for each domain. See the
regex() and
groupBy() reference pages for more
information on those query functions.
In the third line of the query above, notice the parameters
for the sort() function. First is the new
field ref_url we
created in the first line, then
type parameter to
specify the values sorted may include characters or numbers.
The second is how to order the results: in this case, in
descending order. Last is the
limit parameter to
limit the results to the first twelve in the sorted list of
results. The table below shows the results.
| ref_url | _count |
|---|---|
| www.zabotkin.ru | 14 |
| www.tangblog.top | 1 |
| www.skidn.com | 1 |
| www.klfd.net | 1 |
| www.iopt.pro | 42 |
| www.google.com.au | 1 |
| www.google.com | 11 |
| www.bing.com | 3 |
To sort events by ascending or descending value, use the
order parameter, for
example:
groupBy(ref_url)
| sort(ref_url, type=string, order=asc, limit=12)The output has been ordered using a string based (for example, alphabetical) sorting method.
The limit parameter
to sort() limits the number of rows
returned by the function after the sort has been completed.
For example, to sort metrics by the repository name and then
output the top entry:
name=datasource-count
|groupBy([repo])
|sort(field=_count,type=number,order=desc,limit=1)
The above query works by sorting the grouped counts (in the
_count field),
explicitly setting the type to
number and then sorting by
high to lowest (descending order).
To sort events by ascending or descending value, use the
order parameter, for
example:
groupBy(ref_url)
| sort(ref_url, type=string, order=desc, limit=12)
When using multiple fields, supply a corresponding array to
order parameter as
the field parameter,
for example:
groupBy([ref_url,method])
| sort([ref_url,method], type=string, order=[desc,asc], limit=12)sort()Examples
Click next to an example below to get the full details.
Analyze User Sessions Based on Click Activity
Analyzes user sessions based on users click activity using the
session() function
Query
groupBy(cookie_id, function=session(maxpause=15m, count(as=clicks)))
| sort(clicks)Introduction
In this example, the session() function is used to
analyze user sessions based on users click activity. The
session() function groups events by a given
timespan.
Example incoming data might look like this:
| timestamp | cookie_id | action_type | page_url | user_agent |
|---|---|---|---|---|
| 2025-05-15 05:30:00 | user123 | pageview | /home | Mozilla/5.0 (Windows NT 10.0; Win64; x64) |
| 2025-05-15 05:30:15 | user123 | click | /products | Mozilla/5.0 (Windows NT 10.0; Win64; x64) |
| 2025-05-15 05:30:30 | user123 | click | /product/item1 | Mozilla/5.0 (Windows NT 10.0; Win64; x64) |
| 2025-05-15 05:31:00 | user123 | click | /cart | Mozilla/5.0 (Windows NT 10.0; Win64; x64) |
| 2025-05-15 05:31:30 | user123 | click | /checkout | Mozilla/5.0 (Windows NT 10.0; Win64; x64) |
| 2025-05-15 05:35:00 | user456 | pageview | /home | Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) |
| 2025-05-15 05:35:30 | user456 | click | /about | Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) |
| 2025-05-15 05:36:00 | user456 | click | /contact | Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) |
| 2025-05-15 05:38:00 | user789 | pageview | /home | Mozilla/5.0 (iPhone; CPU iPhone OS 14_0) |
| 2025-05-15 05:38:30 | user789 | click | /products | Mozilla/5.0 (iPhone; CPU iPhone OS 14_0) |
Step-by-Step
Starting with the source repository events.
- logscale
groupBy(cookie_id, function=session(maxpause=15m, count(as=clicks)))Groups events by the field cookie_id (unique user identifier) and creates sessions with 15-minute inactivity timeout (the default value of the
maxpauseparameter), then makes a count of each event in a session returning the result in a new field named clicks. - logscale
| sort(clicks)Sorts the results by number of clicks (default is descending order).
Event Result set.
Summary and Results
The query is used to analyze user sessions based on the users click activity. The query is useful, for example, to identify most/least active user sessions, detect potential automated behavior or just to understand user engagement levels.
Sample output from the incoming example data:
| cookie_id | clicks |
|---|---|
| user123 | 5 |
| user456 | 3 |
| user789 | 2 |
Note that each row represents an event (either pageview or click).
Calculate Query Cost for All Users by Repository
Search across multiple repositories to calculate query costs for
all users by repository using sort() and
groupBy() functions
Query
#type=humio #kind=logs class=c.h.j.RunningQueriesLoggerJob message="Highest Cost query"
| groupBy(repo, initiatingUser, totalLiveCost, totalStaticCost)
| sort([totalLiveCost, totalStaticCost])Introduction
In this example, the query uses sort() and
groupBy() functions to find query costs. The query
filters logs in humio repository that are tagged with
kind equal to
logs and then returns the events
where the class field has values
containing
c.h.j.RunningQueriesLoggerJob,
searching for the specific value Highest Cost
query.
Example incoming data might look like this:
| #type | #kind | class | message | timestamp | dataspace | initiatingUser | totalLiveCost | totalStaticCost | deltaTotalCost | repo |
|---|---|---|---|---|---|---|---|---|---|---|
| humio | logs | c.h.j.RunningQueriesLoggerJob | Highest Cost query | 2025-03-26T09:30:00Z | production | john.doe | 1500 | 800 | 2300 | security-logs |
| humio | logs | c.h.j.RunningQueriesLoggerJob | Highest Cost query | 2025-03-26T09:31:00Z | development | jane.smith | 2000 | 1200 | 3200 | app-logs |
| humio | logs | c.h.j.RunningQueriesLoggerJob | Highest Cost query | 2025-03-26T09:32:00Z | staging | bob.wilson | 1000 | 500 | 1500 | infra-logs |
| humio | logs | c.h.j.RunningQueriesLoggerJob | Highest Cost query | 2025-03-26T09:33:00Z | production | john.doe | 1800 | 900 | 2700 | security-logs |
| humio | logs | c.h.j.RunningQueriesLoggerJob | Highest Cost query | 2025-03-26T09:34:00Z | development | jane.smith | 2500 | 1300 | 3800 | app-logs |
| humio | logs | c.h.j.RunningQueriesLoggerJob | Highest Cost query | 2025-03-26T09:35:00Z | staging | alice.cooper | 1200 | 600 | 1800 | infra-logs |
Step-by-Step
Starting with the source repository events.
- logscale
#type=humio #kind=logs class=c.h.j.RunningQueriesLoggerJob message="Highest Cost query"Filters for Humio internal logs containing
c.h.j. RunningQueriesLoggerJobin the class field and where the value in the message field is equal toHighest Cost query. - logscale
| groupBy(repo, initiatingUser, totalLiveCost, totalStaticCost)Groups the results by the repo field, the initiatingUser field, and by both cost types (the fields totalLiveCost, totalStaticCost), and returns a count in a field named _count.
- logscale
| sort([totalLiveCost, totalStaticCost])Sorts the results by both the totalLiveCost field and the totalStaticCost field, in descending order by default.
Event Result set.
Summary and Results
The query is used to search across multiple repositories and output query costs for all users by repository. The query returns the count in a field named _count. Use this query to focus on live and static costs separately.
Sample output from the incoming example data:
| repo | initiatingUser | totalLiveCost | totalStaticCost | _count |
|---|---|---|---|---|
| app-logs | jane.smith | 2000 | 1200 | 1 |
| security-logs | john.doe | 1500 | 800 | 1 |
| infra-logs | bob.wilson | 1000 | 500 | 1 |
Filter Out Fields With No Value
Filter out fields with no values from search results
Query
method=GET
groupBy(field=[method, statuscode], function=count(as=method_total))
sort([method, statuscode], order=asc)
FieldName!=""Introduction
It is possible to filter out on fields with no values in a given returned search result. In this example, all statuscode fields containing no value is filtered out from the final search result.
Example incoming data might look like this:
| method | statuscode | method_total |
|---|---|---|
| GET | <no value> | 10 |
| GET | 200 | 32492 |
| GET | 301 | 1 |
| GET | 304 | 113 |
| GET | 403 | 9 |
| GET | 404 | 132 |
Step-by-Step
Starting with the source repository events.
- logscale
method=GETFilters for all events with methods of the type
GET. - logscale
groupBy(field=[method, statuscode], function=count(as=method_total))Groups the returned results into a method field and a statuscode field and makes a count of the events in a new field named method_total.
- logscale
sort([method, statuscode], order=asc)Sorts the returned results in ascending order.
- logscale
FieldName!=""Excludes all events where one of the fields do not contain a value.
Event Result set.
Summary and Results
The query is used to filter out fields not containing any values from the returned search result.
Sample output from the incoming example data:
| method | statuscode | method_total |
|---|---|---|
| GET | 200 | 32492 |
| GET | 301 | 1 |
| GET | 304 | 113 |
| GET | 403 | 9 |
| GET | 404 | 132 |
Find Least Common Values of a Field
Find the least common values of a field using the
sort() function with
count()
Query
groupby([type,kind], limit=max, function=count())
| sort(_count, order=asc)Introduction
The sort() function can be used to sort values in a
field bottom up. This is the opposite of the top()
function, that can be used to find the most common values of a field in
a set of events.
In this example, the sort() function is used to
find the least common values of a field. Types of parsers used
(type field) are grouped with
their LogScale logging types
(kind field) to find the least
common values when searching for events of, for example, kinds
metrics.
Step-by-Step
Starting with the source repository events.
- logscale
groupby([type,kind], limit=max, function=count())Groups the event set by the fields type and kind. For each unique combination of type and kind, it then counts the number of events, and returns the results in a field named _count.
The parameter
limitis set tomaxto return all counts, as the purpose of this example is to find the least common values of a field. - logscale
| sort(_count, order=asc)Sorts the returned results in ascending order from the least common combinations to the most common combinations of type and kind.
Event Result set.
Summary and Results
The query is used to find the least common values of a field in a set of events, in this example, identifying the least and most common type/kind combinations in an event set. Identifying rare combinations of type and kind could indicate unusual events or potential security issues. This type of query is useful in various scenarios, particularly for data analysis and understanding patterns in event sets.
Sort Timestamps With groupBy()
Sorting fields based on aggregated field values
Query
Search Repository: humio
timestamp := formatTime(format="%H:%M")
| groupBy([thread],
function=[{sort("timestamp")
| collect("timestamp")}])Introduction
When using aggregation, you may want to sort on a field that is
part of the aggregated set but not the main feature of the
aggregated value. For example, sorting the values by their
timestamp rather than the embedded value. To achieve this, you
should use a function that sorts the field to be used as the sort
field, and then use collect() so that the
value from before the aggregation can be displayed in the
generated event set. This query can be executed in the
humio respository.
Step-by-Step
Starting with the source repository events.
- logscale
timestamp := formatTime(format="%H:%M")Creates a new field, timestamp formatted as
HH:MM. - logscale
| groupBy([thread],Groups the events, first by the name of the thread and then the formatted timestamp.
- logscale
function=[{sort("timestamp") | collect("timestamp")}])Uses the
sort()combined withcollect()as the method fo aggregation. As an embedded expression for the function, this will sort the events on the timestamp field and then retrieve the field as it would normally be removed as part of the aggregation process. Event Result set.
Summary and Results
The result set will contain a list of the aggregated thread names sorted by the timestamp:
| thread | timestamp |
|---|---|
| BootstrapInfoJob | 10:09 |
| DataSynchJob | 10:09 |
| Global event loop | 10:10 |
| LocalLivequeryMonitor | 10:09 |
| LogCollectorManifestUpdate | 10:09 |
| TransientChatter event loop | 10:10 |
| aggregate-alert-job | 10:09 |
| alert-job | 10:09 |
| block-processing-monitor-job | 10:09 |
| bloom-scheduler | 10:09 |
| bucket-entity-config | 10:09 |
| bucket-overcommit-metrics-job | 10:09 |
| bucket-storage-download | 10:09 |
| bucket-storage-prefetch | 10:09 |
| chatter-runningqueries-logger | 10:09 |
| chatter-runningqueries-stats | 10:09 |