sort() Query Function

Sorts events by their fields.

Events can be sorted by multiple fields by setting the field parameter to an array of field names. Likewise, the order and type of each field can be specified by setting the order and type parameter to arrays. If the order or type parameter is a single value, all fields are sorted with the same order or type: order and reverse cannot be specified at the same time.

Setting the type field tells sort how to compare the individual values, either using lexicographical order (strings), numerical magnitude (number, hex), or automatically based on the first value it finds (any). hex supports numbers as strings starting with either 0x, 0X or no prefix.

Warning: sorting is done in memory - so do not sort huge amounts of events. This is typically not a problem if the result has been aggregated. Typically sort is put last in the query after an aggregating function.

Parameters

Name

Type

Required

Default

Description

field

[string]

No

_count

Names of fields to sort by.

type

[string]

No

Type of the fields to sort. Can be any, string, number, or hex.

reverse

boolean

No

Whether to sort in descending order. Deprecated: prefer order instead.

order

[string]

No

Order to sort in. Can be any prefix of ascending or descending. descending is default.

limit

number

No

Limit result size. If no limit is specified a default limit of 200 is used.

The implied parameter is field.

Examples

Count the different http status codes for a webserver and sort them descending by their count

humio
groupby(field=statuscode, function=count()) | sort(field=_count, type=number, order=desc)

Find the 50 slowest request from service A

humio
service=my-service-a | sort(responsetime, limit=50)

Sort all results by statuscode, then by response_size within each status_code

humio
#type=accesslog | sort([statuscode, response_size])