Lexicographical order
Some of the SPL2 commands sort search results using lexicographical order. The most commonly used commands are the ORDER BY clause in the from command, and the search, sort and timechart commands.
Lexicographical order sorts items based on the values used to encode the items in computer memory. In Splunk software, this is almost always UTF-8 encoding, which is a superset of ASCII.
- Numbers are sorted before letters. Numbers are sorted based on the first digit.
- Uppercase letters are sorted before lowercase letters.
- Symbols are not standard. Some symbols are sorted before numeric values. Other symbols are sorted before or after letters.
Here are some examples.
The following table shows some numbers in your events and the results of sorting the numbers lexicographically. Numbers are sorted based on their first digit.
| Events | Lexicographical order |
|---|---|
| 10 | 10 |
| 9 | 100 |
| 70 | 70 |
| 100 | 9 |
The following table shows a list of product IDs in your events. The product IDs are sometimes in uppercase and sometimes in lowercase. The lexicographical order sorts the uppercase product IDs before the lowercase product IDs.
| Events | Lexicographical order |
|---|---|
| SF-01 | BS-09 |
| pz-05 | DC-02 |
| BS-09 | MB-07 |
| MB-07 | PZ-05 |
| DC-02 | SF-01 |
| PZ-05 | mb-07 |
| mb-07 | pz-05 |
Custom sort orders
You can specify a custom sort order that overrides the lexicographical order. See the blog Order Up! Custom Sort Orders.
| Time zones | Wildcards |
This documentation applies to the following versions of Splunk® Cloud Services: current
Download manual
Feedback submitted, thanks!