Splunk® Cloud Services

SPL2 Search Reference

sort command: Overview, syntax, and usage

The SPL2 sort command sorts all of the results by the specified fields. Results missing a given field are treated as having the smallest possible value of that field if descending or largest possible value of that field if ascending.

Use these links to quickly navigate to the main sections in this topic:

How the SPL2 sort command works

The SPL2 sort command is most often used at the end of your search, either as the last command or the next to the last command.

Here is an example of some data returned by a search:

supplier_id supplier_name city state/province country
5007 EuroToys Prague Central Bohemia Czech Republic
1009 Mile High Games Denver Colorado United States
7024 Happy Fun Games Kyoto Kyoto Japan
1237 Area 51 Games Roswell New Mexico United States
4111 Isthmus Pastimes Panama City Panama Panama
5017 Der Kriegsspiel Cologne North Rhine-Westphalia Germany
7045 Kiwi Game Warehouse Auckland Auckland New Zealand
1080 EuroToys Dublin Ireland

You want to sort the data type supplier ID:

... | sort supplier_id

The results look like this:

supplier_id supplier_name city state/province country
1009 Mile High Games Denver Colorado United States
1080 EuroToys Dublin Ireland
1237 Area 51 Games Roswell New Mexico United States
4111 Isthmus Pastimes Panama City Panama Panama
5007 EuroToys Prague Central Bohemia Czech Republic
5017 Der Kriegsspiel Cologne North Rhine-Westphalia Germany
7024 Happy Fun Games Kyoto Kyoto Japan
7045 Kiwi Game Warehouse Auckland Auckland New Zealand

To sort by Supplier Name and then Supplier ID, specify a comma between the field names when you add the sort command to your search:

... | sort supplier_name, supplier_id


The results look like this:

supplier_id supplier_name city state/province country
1237 Area 51 Games Roswell New Mexico United States
5017 Der Kriegsspiel Cologne North Rhine-Westphalia Germany
1080 EuroToys Dublin Ireland
5007 EuroToys Prague Central Bohemia Czech Republic
7024 Happy Fun Games Kyoto Kyoto Japan
4111 Isthmus Pastimes Panama City Panama Panama
7045 Kiwi Game Warehouse Auckland Auckland New Zealand
1009 Mile High Games Denver Colorado United States

Notice that both of the EuroToys suppliers are listed together and that those are in ascending order. The default sort order is ascending order. To specify descending order, add a minus ( - ) sign before the field name.

To learn how alphanumeric strings and punctuation are sorted, see the Usage section.

Syntax

The required syntax is in bold.

sort
[<count>]
[<sort-order>]
[<sort-option>]
<field>

Required arguments

<field>
Syntax: <field> [,<field>]...
Description: One or more fields to sort by. When specifying more than one field, separate the field names with commas.

Optional arguments

count
Syntax: <integer>
Description: Specify the maximum number of results to return from the sorted results. You must specify the count before specifying the fields. If no count is specified, the default limit of 10000 is used. If 0 is specified, all of the results are returned.
Default: 10000

Using sort 0 might have a negative impact performance, depending on how many results are returned. Try to filter the results to minimize the number of results before using the sort command.

<sort-order>
Syntax: + | -
Description: Use a minus sign ( - ) for descending order and a plus sign ( + ) for ascending order.
Default: Ascending ( + )
<sort-option>
Syntax: auto | ip | num | str
Description: Options you can specify with <field>. The default sort option is auto. See sort command examples.
sort option Description
auto Determine the type of field value automatically. This is the default sort option.
ip Interpret the values of the field as IP addresses.
num Interpret the values of the field as numbers.
str Interpret the values of the field as strings and order the values alphabetically.

Usage

By default, the sort command tries to automatically determine what it is sorting. If the field contains numeric values, the collating sequence is numeric. If the field contains IP address values, the collating sequence is for IP addresses. Otherwise, the collating sequence is in lexicographical order.

How data is interpreted and sorted

  • Punctuation strings are sorted lexicographically.
  • Numeric data is sorted as you would expect for numbers and the sort order is specified as ascending or descending.
  • Alphanumeric strings are sorted based on the data type of the first character. If the string starts with a number, the string is sorted numerically based on that number alone. Otherwise, strings are sorted lexicographically.
  • Strings that are a combination of alphanumeric and punctuation characters are sorted the same way as alphanumeric strings.

The sort order is determined between each pair of values that are compared at any one time. This means that for some pairs of values, the order might be lexicographical, while for other pairs the order might be numerical.

Results in descending order Description
10.1

9.1

This set of values are sorted numerically because the values are all numeric.
9.1.a

10.1.a

This set of values are sorted lexicographically because the values are alphanumeric strings.

Lexicographical order

Lexicographical order sorts items based on the values used to encode the items in computer memory. In Splunk software, this is almost always UTF-8 encoding, which is a superset of ASCII.

  • Numbers are sorted before letters. Numbers are sorted based on the first digit. For example, the numbers 10, 9, 70, 100 are sorted lexicographically as 10, 100, 70, 9.
  • Uppercase letters are sorted before lowercase letters.
  • Symbols are not standard. Some symbols are sorted before numeric values. Other symbols are sorted before or after letters.

You can specify a custom sort order that overrides the lexicographical order. See the blog Order Up! Custom Sort Orders.

Differences between SPL and SPL2

The differences between the SPL and SPL2 sort command are described in these sections.

Some field names require single quotation marks

Field names that contain anything other than [a-z][A-Z][0-9] or "_", need single quotation marks. In this example the field name is host-123 and because it contains a dash, it must be enclosed in single quotation marks.

Version Example
SPL ...sort host-123
SPL2 ...sort 'host-123'


See also

sort command
sort command: Examples
Related information in the SPL2 Search Manual
Commands that sort results
Lexicographical order
Last modified on 10 April, 2025
search command: Examples   sort command: Examples

This documentation applies to the following versions of Splunk® Cloud Services: current

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters