Splunk® Enterprise

Search Reference

Splunk Enterprise version 7.2 is no longer supported as of April 30, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

sort

Description

The sort command sorts all of the results by the specified fields. Results missing a given field are treated as having the smallest or largest possible value of that field if the order is descending or ascending, respectively.

If the first argument to the sort command is a number, then at most that many results are returned, in order. If no number is specified, the default limit of 10000 is used. If the number 0 is specified, all of the results are returned. See the count argument for more information.

Syntax

The required syntax is in bold.

sort
[<count>]
<sort-by-clause>...
[desc]

Required arguments

<sort-by-clause>
Syntax: [ - | + ] <sort-field>, ( - | + ) <sort-field> ...
Description: List of fields to sort by and the sort order. Use a minus sign (-) for descending order and a plus sign (+) for ascending order. When specifying more than one field, separate the field names with commas. See Sort field options.

Optional arguments

<count>
Syntax: <int> | limit=<int>
Description: Specify the number of results to return from the sorted results. If no count is specified, the default limit of 10000 is used. If 0 is specified, all results are returned. You can specify the count using an integer or precede the count with a label, for example limit=10.

Using sort 0 might have a negative impact performance, depending on how many results are returned.

Default: 10000
desc
Syntax: d | desc
Description: Reverses the order of the results. If multiple fields are specified, reverses the order of the values in the fields in the order in which the fields are specified. For example, if there are three fields specified, the desc argument reverses the order of the values in the first field. For each set of duplicate values in the first field, reverses the order of the corresponding values in the second field. For each set of duplicate values in the second field, reverses the order of the corresponding values in the third field.

Sort field options

<sort-field>
Syntax: <field> | auto(<field>) | str(<field>) | ip(<field>) | num(<field>)
Description: Options you can specify with <sort-field>.
<field>
Syntax: <string>
Description: The name of field to sort.
auto
Syntax: auto(<field>)
Description: Determine automatically how to sort the values of the field.
ip
Syntax: ip(<field>)
Description: Interpret the values of the field as IP addresses.
num
Syntax: num(<field>)
Description: Interpret the values of the field as numbers.
str
Syntax: str(<field>)
Description: Interpret the values of the field as strings and order the values alphabetically.

Usage

The sort command is a dataset processing command. See Command types.

By default, sort tries to automatically determine what it is sorting. If the field contains numeric values, the collating sequence is numeric. If the field contains on IP address values, the collating sequence is for IP addresses. Otherwise, the collating sequence is in lexicographical order. Some specific examples are:

  • Alphabetic strings are sorted lexicographically.
  • Punctuation strings are sorted lexicographically.
  • Numeric data is sorted as you would expect for numbers and the sort order is specified as ascending or descending.
  • Alphanumeric strings are sorted based on the data type of the first character. If the string starts with a number, the string is sorted numerically based on that number alone. Otherwise, strings are sorted lexicographically.
  • Strings that are a combination of alphanumeric and punctuation characters are sorted the same way as alphanumeric strings.

The sort order is determined between each pair of values that are compared at any one time. This means that for some pairs of values, the order might be lexicographical, while for other pairs the order might be numerical.

Results in descending order Description
10.1

9.1

This set of values are sorted numerically because the values are all numeric.
9.1.a

10.1.a

This set of values are sorted lexicographically because the values are alphanumeric strings.

Lexicographical order

Lexicographical order sorts items based on the values used to encode the items in computer memory. In Splunk software, this is almost always UTF-8 encoding, which is a superset of ASCII.

  • Numbers are sorted before letters. Numbers are sorted based on the first digit. For example, the numbers 10, 9, 70, 100 are sorted lexicographically as 10, 100, 70, 9.
  • Uppercase letters are sorted before lowercase letters.
  • Symbols are not standard. Some symbols are sorted before numeric values. Other symbols are sorted before or after letters.

Custom sort order

You can specify a custom sort order that overrides the lexicographical order. See the blog Order Up! Custom Sort Orders.

Basic examples

1. Use the sort field options to specify field types

Sort the results by the ipaddress field in ascending order and then sort by the url field in descending order.

... | sort ip(ipaddress), -str(url)

2. Specifying the number of results to sort

Sort first 100 results in descending order of the "size" field and then by the "source" value in ascending order. This example specifies the type of data in each of the fields. The "size" field contains numbers and the "source" field contains strings.

... | sort 100 -num(size), +str(source)

3. Specifying descending and ascending sort orders

Sort results by the "_time" field in ascending order and then by the "host" value in descending order.

... | sort _time, -host

4. Changing the time format of events for sorting

Change the format of the event's time and sort the results in descending order by the Time field that is created with the eval command.

... | bin _time span=60m | eval Time=strftime(_time, "%m/%d %H:%M %Z") | stats avg(time_taken) AS AverageResponseTime BY Time | sort - Time

(Thanks to Splunk user Ayn for this example.)

5. Return the most recent event

Return the most recent event:

... | sort 1 -_time

6. Use a label with the <count>

You can use a label to identify the number of results to return: Return the first 12 results, sorted by the "host" field in descending order.

... | sort limit=12 host

Extended example

1. Specify a custom sort order

Sort a table of results in a specific order, such as days of the week or months of the year, that is not lexicographical or numeric. For example, suppose you have a search that produces the following table:

Day Total
Friday 120
Monday 93
Tuesday 124
Thursday 356
Weekend 1022
Wednesday 248

Sorting on the day field (Day) returns a table sorted alphabetically, which does not make much sense. Instead, you want to sort the table by the day of the week, Monday to Friday, with the Weekend at the end of the list.

To create a custom sort order, you first need to create a field called sort_field that defines the order. Then you can sort on that field.

... | eval wd=lower(Day) | eval sort_field=case(wd=="monday",1, wd=="tuesday",2, wd=="wednesday",3, wd=="thursday",4, wd=="friday",5, wd=="weekend",6) | sort sort_field | fields - sort_field

This search uses the eval command to create the sort_field and the fields command to remove sort_field from the final results table.

The results look something like this:

Day Total
Monday 93
Tuesday 124
Wednesday 248
Thursday 356
Friday 120
Weekend 1022

(Thanks to Splunk users Ant1D and Ziegfried for this example.)

For additional custom sort order examples, see the blog Order Up! Custom Sort Orders and the Extended example in the rangemap command.

See also

reverse

Last modified on 18 January, 2024
snoweventstream   spath

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.8, 9.1.9, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.4.0, 9.4.1, 9.4.2

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters