The sort() query function is used to sorts events
based on a given field — or fields. Events can be sorted by multiple
fields by setting the field parameter to an array of field names (i.e.,
between square-brackets in a comma-separated list). Likewise, the order
and type of each field can be specified by setting the order and type
parameter to arrays.
Function Traits: Aggregate
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
field[a] | Array of strings | optional | _count | The fields by which to sort events. |
limit | number | optional | 200 | The maximum number of events included in results. |
order | Array of strings | optional | desc | The order in which to sort. |
| Valid Values | asc | Sort ascending | ||
desc | Sort descending | |||
reverse | boolean | optional | false | Whether to sort in descending order. This is deprecated: use instead order. |
| Valid Values | false | Sort ascending | ||
true | Sort descending | |||
type | Array of strings | optional | any | The type of fields to sort. |
| Valid Values | any | Any fields | ||
hex | Hexaedecimal fields | |||
number | Numerical fields | |||
string | String fields | |||
The parameter name for field can be omitted; the following forms are equivalent:
sort("_count")and:
sort(field="_count")
If the order or
type parameter is a single value, all
fields are sorted with the same order or type.
Setting the type field tells sort() how to compare
the individual values, either using lexicographical order (i.e.,
string), numerical magnitude (i.e.,
number,
hex), or automatically based on the first
value it finds (i.e., any). The
hex parameter supports numbers as strings
starting with either 0x,
0X, or no prefix.
Warning
Sorting is performed in memory. For optimum performance avoid sorting
large numbers of events. Perform filtering first and sort the results,
or use aggregation to simplify the event list before sorting. Putting
sort() last in a query, after an aggregating
function will offer the best performance.
sort() Examples
As an example, suppose you have LogScale ingesting data from a web
server and want to get a list of referring domains and sub-domains. That
is to say, the URLs without the path and web page from which it came
(e.g., just www.example.com from
http://www.example.com/sales/great-sites.html).
Suppose further that you want a count of each referrer and want to sort
them alphabetically in reverse order — because we're fickle like
that. Below is an example of how that might be done:
regex(regex="/.*/(?<ref_url>.+?)(/
| $)", field=referrer)
| groupby(ref_url)
| sort(ref_url, type=any, order=desc, limit=12)
In the first line here, we're using the regex()
function to extract just the first part of the URL, dropping everything
after the domain and first slash. On the second line we're using
groupBy() to group on each referrer (i.e.,
ref_url) and counting them. If we hadn't
stripped out the base URL from the first line, we might have multiple
entries for each domain. See the regex() and
groupBy() reference pages for more information on
those query functions.
In the third line of the query above, notice the parameters for the
sort() function. First is the new field
ref_url we created in the first line,
then type parameter to specify the
values sorted may include characters or numbers. The second is how to
order the results: in this case, in descending order. Last is the
limit parameter to limit the results to
the first twelve in the sorted list of results. The screenshot in
Figure 105, “sort() Examples” here shows the results
in a Table widget.
 |
Figure 105. sort() Examples