The sort() query function is used to sorts events
based on a given field — or fields. Events can be sorted by multiple
fields by setting the field parameter to an array of field names (i.e.,
between square-brackets in a comma-separated list). Likewise, the order
and type of each field can be specified by setting the order and type
parameter to arrays.
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
field | [string] | false | _count | The fields by which to sort events. [a] |
limit | number | false | 200 | The maximum number of events included in results. |
order | [string] | false | desc | The order in which to sort. |
| Valid Values | asc | Sort ascending | ||
| desc | Sort descending | |||
reverse | boolean | false | false | Whether to sort in descending order. This is deprecated: use instead order. |
| Valid Values | false | Sort ascending | ||
| true | Sort descending | |||
type | [string] | false | any | The type of fields to sort. |
| Valid Values | any | Any fields | ||
| hex | Hexaedecimal fields | |||
| number | Numerical fields | |||
| string | String fields | |||
If the order or
type parameter is a single value,
all fields are sorted with the same order or type.
Setting the type field tells sort() how to compare
the individual values, either using lexicographical order (i.e.,
string), numerical magnitude (i.e.,
number,
hex), or automatically based on the
first value it finds (i.e., any).
The hex parameter supports numbers
as strings starting with either 0x,
0X, or no prefix.
Warning
Sorting is performed in memory. For optimum performance avoid sorting
large numbers of events. Perform filtering first and sort the results,
or use aggregation to simplify the event list before sorting. Putting
sort() last in a query, after an aggregating
function will offer the best performance.
Examples
As an example, suppose you have LogScale ingesting data from a web
server and want to get a list of referring domains and sub-domains. That
is to say, the URLs without the path and web page from which it came
(e.g., just www.example.com from
http://www.example.com/sales/great-sites.html).
Suppose further that you want a count of each referrer and want to sort
them alphabetically in reverse order — because we're fickle like
that. Below is an example of how that might be done:
regex(regex="/.*/(?<ref_url>.+?)(/|$)", field=referrer) |
groupby(ref_url) |
sort(ref_url, type=any, order=desc, limit=12)
In the first line here, we're using the regex()
function to extract just the first part of the URL, dropping everything
after the domain and first slash. On the second line we're using
groupBy() to group on each referrer (i.e.,
ref_url) and counting them. If we
hadn't stripped out the base URL from the first line, we might have
multiple entries for each domain. See the regex()
and groupBy() reference pages for more information
on those query functions.
In the third line of the query above, notice the parameters for the
sort() function. First is the new field
ref_url we created in the first
line, then type parameter to
specify the values sorted may include characters or numbers. The second
is how to order the results: in this case, in descending order. Last is
the limit parameter to limit the
results to the first twelve in the sorted list of results. The
screenshot in Figure 1 here shows the results in a Table widget.
Figure 297. sort() Examples