sort
Contents
sort
Synopsis
Sorts search results by the specified fields.
Syntax
sort [<count>] (<sort-by-clause>)+ [desc]
Required arguments
- <count>
- Syntax: <int>
- Description: Specify the number of results to sort. If no count is specified, the default limit of 10000 is used. If "0" is specified, all results will be returned.
- <sort-by-clause>
- Syntax: ( - | + ) <sort-field>
- Description: List of fields to sort by and their order, descending ( - ) or ascending ( + ).
Optional arguments
- desc
- Syntax: d | desc
- Description: A trailing string that reverses the results.
Sort field options
- <sort-field>
- Syntax: <field> | auto(<field>) | str(<field>) | ip(<field>) | num(<field>)
- Description: Options for sort-field.
- <field>
- Syntax: <string>
- Description: The name of field to sort.
- auto
- Syntax: auto(<field>)
- Description: Determine automatically how to sort the field's values.
- ip
- Syntax: ip(<field>)
- Description: Interpret the field's values as an IP address.
- num
- Syntax: num(<field>)
- Description: Treat the field's values as numbers.
- str
- Syntax: str(<field>)
- Description: Order the field's values lexigraphically.
Description
The sort command sorts the results by the given list of fields. Results missing a given field are treated as having the smallest or largest possible value of that field if the order is descending or ascending, respectively.
If the first argument to the sort command is a number, then at most that many results are returned (in order). If no number is specified, the default limit of 10000 is used. If the number 0 is specified, all results will be returned.
By default, sort tries to automatically determine what it is sorting. If the field takes on numeric values, the collating sequence is numeric. If the field takes on IP address values, the collating sequence is for IPs. Otherwise, the collating sequence is lexicographic ordering. Some specific examples are:
- Alphabetic strings are sorted lexicographically.
- Punctuation strings are sorted lexicographically.
- Numeric data is sorted as you would expect for numbers and the sort order is specified (ascending or descending).
- Alphanumeric strings are sorted based on the data type of the first character. If it starts with a number, it's sorted numerically based on that number alone; otherwise, it's sorted lexicographically.
- Strings that are a combination of alphanumeric and punctuation characters are sorted the same way as alphanumeric strings.
In the default automatic mode for a field, the sort order is determined between each pair of values that are compared at any one time. This means that for some pairs of values, the order may be lexicographical, while for other pairs the order may be numerical. For example, if sorting in descending order: 10.1 > 9.1, but 10.1.a < 9.1.a.
Examples
Example 1: Sort results by "ip" value in ascending order and then by "url" value in descending order.
... | sort num(ip), -str(url)Example 2: Sort first 100 results in descending order of the "size" field and then by the "source" value in ascending order.
... | sort 100 -num(size), +str(source)Example 3: Sort results by the "_time" field in ascending order and then by the "host" value in descending order.
... | sort _time, -hostExample 4: Change the format of the event's time and sort the results in descending order by new time.
... | bucket _time span=60m | eval Time=strftime(_time, "%m/%d %H:%M %Z") | stats avg(time_taken) AS AverageResponseTime BY Time | sort - Time(Thanks to Ayn for this example.)
Example 5. Sort a table of results in a specific order, such as days of the week or months of the year, that is not lexicographical or numeric. For example, you have a search that produces the following table:
| Day | Total |
|---|---|
| Friday | 120 |
| Monday | 93 |
| Tuesday | 124 |
| Thursday | 356 |
| Weekend | 1022 |
| Wednesday | 248 |
Sorting on the day field (Day) returns a table sorted alphabetically, which doesn't make much sense. Instead, you want to sort the table by the day of the week, Monday to Friday. To do this, you first need to create a field (sort_field) that defines the order. Then you can sort on this field.
... | eval wd=lower(Day) | eval sort_field=case(wd=="monday",1, wd=="tuesday",2, wd=="wednesday",3, wd=="thursday",4, wd=="friday",5, wd=="weekend",6) | sort sort_field | fields - sort_fieldThis search uses the eval command to create the sort_field and the fields command to remove sort_field from the final results table.
(Thanks to Ant1D and Ziegfried for this example.)
See also
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the sort command.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 , 5.0 , 5.0.1 , 5.0.2 View the Article History for its revisions.
Comments
Me anand1984,
Nope. That really is the only way to do this particular type of sorting.
I'm using the below command today, but would love to find a better way
| eval temp=lower(APP) | sort temp | fields APP
I would love to have a way to sort case-insensitively. I see in splunk answers that lot of people are interested in it
Do not trust auto sort, prefer to specify a format sort num(field) or sort str(field).