When collating a group of field data that includes a field that you also
want to sort on, use the collect() and use an
embedded call to the sort() function in your
aggregate function call.
For example, if you are reporting on data that you want to summarize by
a field value and a formatted timestamp, you can sort the collected
fields with by the timestamp using this format:
Click + next to an example below to get the full details.
Sorting fields based on aggregated field values
Search Repository: humio
timestamp := formatTime(format="%H:%M")
| groupBy([thread],
function=[{sort("timestamp")
| collect("timestamp")}])
When using aggregation, you may want to sort on a field that is
part of the aggregated set but not the main feature of the
aggregated value. For example, sorting the values by their
timestamp rather than the embedded value. To achieve this, you
should use a function that sorts the field to be used as the sort
field, and then use collect() so that the
value from before the aggregation can be displayed in the
generated event set. This query can be executed in the
humio respository.
Starting with the source repository events.
timestamp := formatTime(format="%H:%M")
Creates a new field, timestamp
formatted as HH:MM.
Groups the events, first by the name of the thread and then the
formatted timestamp.
function=[{sort("timestamp")
| collect("timestamp")}])
Uses the sort() combined with
collect() as the method fo aggregation. As an
embedded expression for the function, this will sort the events on the
timestamp field and then
retrieve the field as it would normally be removed as part of the
aggregation process.
Event Result set.
The result set will contain a list of the aggregated thread names sorted
by the timestamp:
