sort
Contents
sort
Synopsis
Sorts search results by the specified fields.
Syntax
sort [<count>] (<sort-by-clause>)+ [desc]
Required arguments
- <count>
- Syntax: <int>
- Description: Specify the number of results to sort. If no count is specified, the default limit of 10000 is used. If "0" is specified, all results will be returned.
- <sort-by-clause>
- Syntax: ( - | + ) <sort-field>
- Description: List of fields to sort by and their order, descending ( - ) or ascending ( + ).
Optional arguments
- desc
- Syntax: d | desc
- Description: A trailing string that reverses the results.
Sort field options
- <sort-field>
- Syntax: <field> | auto(<field>) | str(<field>) | ip(<field>) | num(<field>)
- Description: Options for sort-field.
- <field>
- Syntax: <string>
- Description: The name of field to sort.
- auto
- Syntax: auto(<field>)
- Description: Determine automatically how to sort the field's values.
- ip
- Syntax: ip(<field>)
- Description: Interpret the field's values as an IP address.
- num
- Syntax: num(<field>)
- Description: Treat the field's values as numbers.
- str
- Syntax: str(<field>)
- Description: Order the field's values lexigraphically.
Description
The sort command sorts the results by the given list of fields. Results missing a given field are treated as having the smallest or largest possible value of that field if the order is descending or ascending, respectively.
If the first argument to the sort command is a number, then at most that many results are returned (in order). If no number is specified, the default limit of 10000 is used. If the number 0 is specified, all results will be returned.
By default, sort tries to automatically determine what it is sorting. If the field takes on numeric values, the collating sequence is numeric. If the field takes on IP address values, the collating sequence is for IPs. Otherwise, the collating sequence is lexicographic ordering. Some specific examples are:
- Numeric data is sorted as you would expect for numbers (depending on sort order specified, ascending or descending)
- Alphabetic strings are sorted lexicographically.
- Punctuation strings are sorted lexicographically
- Alphanumeric strings are sorted based on the data type of the first character. If it starts with a number, it's sorted numerically based on that number alone; otherwise, it's sorted lexicographically.
- Strings that are a combination of alphanumeric and punctuation characters are sorted the same way as alphanumeric strings.
In the default automatic mode for a field, the sort order is determined between each pair of values that are compared at any one time. This means that for some pairs of values, the order may be lexicographical, while for other pairs the order may be numerical. For example, if sorting in descending order, 10.1 > 9.1, but 10.1.a < 9.1.a.
Examples
Example 1: Sort results by "ip" value in ascending order and then by "url" value in descending order.
... | sort ip, -urlExample 2: Sort first 100 results in descending order of the "size" field and then by the "source" value in ascending order.
... | sort 100 -size, +sourceExample 3: Sort results by the "_time" field in ascending order and then by the "host" value in descending order.
... | sort _time, -hostSee also
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the sort command.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 View the Article History for its revisions.