The sort() query function is used to sorts events
based on a given field — or fields. Events can be sorted by multiple
fields by setting the field parameter to an array of field names (i.e.,
between square-brackets in a comma-separated list). Likewise, the order
and type of each field can be specified by setting the
order and
type parameters to arrays.
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
field[a] | Array of strings | optional[b] | _count | The fields by which to sort events. |
limit | integer | optional[b] | 200 | The maximum number of events included in results. |
| Maximum | 20,000 | The default maximum limit is not static and can be changed by setting
the StateRowLimit
dynamic configuration. | ||
order | Array of strings | optional[b] | desc | The order in which to sort. |
| Valid Values | ||||
asc | Sort ascending | |||
desc | Sort descending | |||
reverse (deprecated) | boolean | optional[b] | false | Whether to sort in descending order. This parameter is deprecated: use order instead. (deprecated in 1.100) |
| Valid Values | ||||
false | Sort ascending | |||
true | Sort descending | |||
type | Array of strings | optional[b] | number | Set the data type of the fields to influence the sorting order. |
| Valid Values | ||||
any | Any fields. (deprecated in 1.125) | |||
hex | Treat the field as a hexadecimal value and sort in numerical order | |||
number | Treat the field as numerical and sort in numerical order | |||
string | Treat the field as string values and sort alphabetical | |||
[b] Optional parameters use their default value unless explicitly set | ||||
Omitted Argument NamesThe argument name for
fieldcan be omitted; the following forms of this function are equivalent:logscalesort("_count")and:
logscalesort(field="_count")
If the order or
type parameter is a single
value, all fields are sorted with the same order or type.
Setting the type field tells sort() how to compare
the individual values, either using lexicographical order (i.e.,
string), numerical magnitude
(i.e., number,
hex), or automatically based on
the first value it finds (i.e., any).
The hex argument supports numbers
as strings starting with either 0x,
0X, or no prefix.
Warning
Sorting is performed in memory. For optimum performance avoid sorting
large numbers of events. Perform filtering first and sort the results,
or use aggregation to simplify the event list before sorting. Putting
sort() last in a query, after an aggregating
function will offer the best performance.
sort() Examples
As an example, suppose you have LogScale ingesting data from a web
server and want to get a list of referring domains and sub-domains. That
is to say, the URLs without the path and web page from which it came
(e.g., just www.example.com from
http://www.example.com/sales/great-sites.html).
Suppose further that you want a count of each referrer and want to sort
them alphabetically in reverse order — because we're fickle like
that. Below is an example of how that might be done:
regex(regex="/.*/(?<ref_url>.+?)(/
| $)", field=referrer)
| groupby(ref_url)
| sort(ref_url, type=string, order=desc, limit=12)
In the first line here, we're using the regex()
function to extract just the first part of the URL, dropping everything
after the domain and first slash. On the second line we're using
groupBy() to group on each referrer (i.e.,
ref_url) and counting them. If we hadn't
stripped out the base URL from the first line, we might have multiple
entries for each domain. See the regex() and
groupBy() reference pages for more information on
those query functions.
In the third line of the query above, notice the parameters for the
sort() function. First is the new field
ref_url we created in
the first line, then
type parameter to
specify the values sorted may include characters or numbers. The second
is how to order the results: in this case, in descending order. Last is
the limit parameter to limit
the results to the first twelve in the sorted list of results. The table
below shows the results.
| ref_url | _count |
|---|---|
| www.zabotkin.ru | 14 |
| www.tangblog.top | 1 |
| www.skidn.com | 1 |
| www.klfd.net | 1 |
| www.iopt.pro | 42 |
| www.google.com.au | 1 |
| www.google.com | 11 |
| www.bing.com | 3 |
To sort events by ascending or descending value, use the
order parameter, for example:
groupby(ref_url)
| sort(ref_url, type=string, order=asc, limit=12)The output has been ordered using a string based (i.e. alphabetical) sorting method.
The limit parameter to
sort() limits the number of rows returned by the
function after the sort has been completed. For example, to sort metrics
by the repository name and then output the top entry:
name=datasource-count
|groupBy([repo])
|sort(field=_count,type=numeric,order=desc,limit=1)The above query works by sorting the grouped counts (in the _count field), explicitly setting the type to numeric and then sorting by high to lowest (descending order).
To sort events by ascending or descending value, use the
order parameter, for example:
groupby(ref_url)
| sort(ref_url, type=string, order=desc, limit=12)
When using multiple fields, supply a corresponding array to
order parameter as the
field parameter, for example:
groupby([ref_url,method])
| sort([ref_url,method], type=string, order=[desc,asc], limit=12)