Documentation > Splunk > Search Reference > sort

Search Reference

 


Welcome
Search Overview
Search Commands
Custom Search Commands

sort

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

sort

Synopsis

Sorts search results by the specified fields.

Syntax

sort [<count>] (<sort-by-clause>)+ [desc]

Arguments

<count>
Syntax: <int>
Description: Specify the number of results to sort. If no count is specified, the default limit of 10000 is used. If "0" is specified, all results will be returned.
desc
Syntax: d | desc
Description: A trailing string that reverses the results.
<field-list>
Syntax: <string>, ...
Description: Comma-delimited list of field names.
<sort-by-clause>
Syntax: ( - | + ) <sort-field>
Description: List of fields to sort by and their order, descending ( - ) or ascending ( + ).

Sort field options

<sort-field>
Syntax: <field> | auto(<field>) | str(<field>) | ip(<field>) | num(<field>)
Description: Options for sort-field.
<field>
Syntax: <string>
Description: The name of field to sort.
auto
Syntax: auto(<field>)
Description: Determine automatically how to sort the field's values.
ip
Syntax: ip(<field>)
Description: Interpret the field's values as an IP address.
num
Syntax: num(<field>)
Description: Treat the field's values as numbers.
str
Syntax: str(<field>)
Description: Order the field's values lexigraphically.

Description

Sorts by the given list of fields. If more than one field is specified, the first denotes the primary sort order, the second denotes the secondary, etc. If the fieldname is immediately (no space) preceded by +, the sort is ascending (default). If the fieldname is immediately (no space) preceded by -, the sort is descending. If white space follows +/-, the sort order is applied to all following fields without a different explicit sort order. Also a trailing d or desc causes the results to be reversed. Results missing a given field are treated as having the smallest or largest possible value of that field if the order es descending or ascending respectively. If the field takes on numeric values, the collating sequence is numeric. If the field takes on ip address values, the collating sequence is for IPs. Otherwise, the collating sequence is lexicographic ordering. If the first term is a number, then at most that many results are returned (in order). If no number is specified, the default limit of 10000 is used. If number is 0, all results will be returned.

Examples

Example 1: Sort results by "ip" value in ascending order and then by "url" value in descending order.

... | sort ip, -url

Example 2: Sort first 100 results in descending order of the "size" field and then by the "source" value in ascending order.

... | sort 100 -size, +source

Example 3: Sort results by the "_time" field in ascending order and then by the "host" value in descending order.

... | sort _time, -host

See also

reverse

Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.0.2/SearchReference/Sort"

This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!