Splunk® Cloud Services

SPL2 Search Reference

sort command overview

The SPL2 sort command sorts all of the results by the specified fields. Results missing a given field are treated as having the smallest possible value of that field if descending or largest possible value of that field if ascending.

Syntax

The required syntax is in bold.

sort
[<count>]
[<sort-order>]
[<sort-option>]
<field>

How the SPL2 sort command works

The SPL2 sort command is most often used at the end of your search, either as the last command or the next to the last command.

Here is an example of some data returned by a search:

supplier_id supplier_name city state/province country
5007 EuroToys Prague Central Bohemia Czech Republic
1009 Mile High Games Denver Colorado United States
7024 Happy Fun Games Kyoto Kyoto Japan
1237 Area 51 Games Roswell New Mexico United States
4111 Isthmus Pastimes Panama City Panama Panama
5017 Der Kriegsspiel Cologne North Rhine-Westphalia Germany
7045 Kiwi Game Warehouse Auckland Auckland New Zealand
1080 EuroToys Dublin Ireland

You want to sort the data type supplier ID:

... | sort supplier_id

The results look like this:

supplier_id supplier_name city state/province country
1009 Mile High Games Denver Colorado United States
1080 EuroToys Dublin Ireland
1237 Area 51 Games Roswell New Mexico United States
4111 Isthmus Pastimes Panama City Panama Panama
5007 EuroToys Prague Central Bohemia Czech Republic
5017 Der Kriegsspiel Cologne North Rhine-Westphalia Germany
7024 Happy Fun Games Kyoto Kyoto Japan
7045 Kiwi Game Warehouse Auckland Auckland New Zealand

To sort by Supplier Name and then Supplier ID, specify a comma between the field names when you add the sort command to your search:

... | sort supplier_name, supplier_id


The results look like this:

supplier_id supplier_name city state/province country
1237 Area 51 Games Roswell New Mexico United States
5017 Der Kriegsspiel Cologne North Rhine-Westphalia Germany
1080 EuroToys Dublin Ireland
5007 EuroToys Prague Central Bohemia Czech Republic
7024 Happy Fun Games Kyoto Kyoto Japan
4111 Isthmus Pastimes Panama City Panama Panama
7045 Kiwi Game Warehouse Auckland Auckland New Zealand
1009 Mile High Games Denver Colorado United States

Notice that both of the EuroToys suppliers are listed together and that those are in ascending order. The default sort order is ascending order. To specify descending order, add a minus ( - ) sign before the field name.

To learn how alphanumeric strings and punctuation are sorted, see sort command usage.

See also

sort command
sort command syntax details
sort command usage
sort command examples
Related information in the SPL2 Search Manual
Commands that sort results
Lexicographical order
Last modified on 31 January, 2024
search command examples   sort command syntax details

This documentation applies to the following versions of Splunk® Cloud Services: current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters