sort command usage
By default, the sort command tries to automatically determine what it is sorting. If the field contains numeric values, the collating sequence is numeric. If the field contains IP address values, the collating sequence is for IP addresses. Otherwise, the collating sequence is in lexicographical order.
How data is interpreted and sorted
- Punctuation strings are sorted lexicographically.
- Numeric data is sorted as you would expect for numbers and the sort order is specified as ascending or descending.
- Alphanumeric strings are sorted based on the data type of the first character. If the string starts with a number, the string is sorted numerically based on that number alone. Otherwise, strings are sorted lexicographically.
- Strings that are a combination of alphanumeric and punctuation characters are sorted the same way as alphanumeric strings.
The sort order is determined between each pair of values that are compared at any one time. This means that for some pairs of values, the order might be lexicographical, while for other pairs the order might be numerical.
| Results in descending order | Description |
|---|---|
| 10.1 9.1 |
This set of values are sorted numerically because the values are all numeric. |
| 9.1.a 10.1.a |
This set of values are sorted lexicographically because the values are alphanumeric strings. |
Lexicographical order
Lexicographical order sorts items based on the values used to encode the items in computer memory. In Splunk software, this is almost always UTF-8 encoding, which is a superset of ASCII.
- Numbers are sorted before letters. Numbers are sorted based on the first digit. For example, the numbers 10, 9, 70, 100 are sorted lexicographically as 10, 100, 70, 9.
- Uppercase letters are sorted before lowercase letters.
- Symbols are not standard. Some symbols are sorted before numeric values. Other symbols are sorted before or after letters.
You can specify a custom sort order that overrides the lexicographical order. See the blog Order Up! Custom Sort Orders.
Differences between SPL and SPL2
Some field names require single quotation marks
Field names that contain anything other than [a-z][A-Z][0-9] or "_", need single quotation marks. In this example the field name is host-123 and because it contains a dash, it must be enclosed in single quotation marks.
| Version | Example |
|---|---|
| SPL | ...sort host-123 |
| SPL2 | ...sort 'host-123' |
See also
| sort command syntax details | sort command examples |
This documentation applies to the following versions of Splunk® Cloud Services: current
Download manual
Feedback submitted, thanks!