Related Answers
Download topic as PDF
sort
Description
The sort command sorts all of the results by the specified fields. Results missing a given field are treated as having the smallest or largest possible value of that field if the order is descending or ascending, respectively.
If the first argument to the sort command is a number, then at most that many results are returned, in order. If no number is specified, the default limit of 10000 is used. If the number 0 is specified, all of the results are returned. See the count argument for more information.
Syntax
sort [<count>] <sort-by-clause>... [desc]
Required arguments
- <sort-by-clause>
- Syntax: ( - | + ) <sort-field>, ( - | + ) <sort-field> ...
- Description: List of fields to sort by and the sort order. Use a minus sign (-) for descending order and a plus sign (+) for ascending order. When specifying more than one field, separate the field names with commas. See Sort field options.
Optional arguments
- <count>
- Syntax: <int>
- Description: Specify the number of results to return from the sorted results. If no count is specified, the default limit of 10000 is used. If
0is specified, all results are returned. - Default: 10000
- desc
- Syntax: d | desc
- Description: Reverses the order of the results. If multiple fields are specified, reverses the order of the values in the fields in the order in which the fields are specified. For example, if there are three fields specified, the
descargument reverses the order of the values in the first field. For each set of duplicate values in the first field, reverses the order of the corresponding values in the second field. For each set of duplicate values in the second field, reverses the order of the corresponding values in the third field.
Sort field options
- <sort-field>
- Syntax: <field> | auto(<field>) | str(<field>) | ip(<field>) | num(<field>)
- Description: Options you can specify with <sort-field>.
- <field>
- Syntax: <string>
- Description: The name of field to sort.
- auto
- Syntax: auto(<field>)
- Description: Determine automatically how to sort the values of the field.
- ip
- Syntax: ip(<field>)
- Description: Interpret the values of the field as IP addresses.
- num
- Syntax: num(<field>)
- Description: Interpret the values of the field as numbers.
- str
- Syntax: str(<field>)
- Description: Interpret the values of the field as strings and order the values alphabetically.
Usage
By default, sort tries to automatically determine what it is sorting. If the field takes on numeric values, the collating sequence is numeric. If the field takes on IP address values, the collating sequence is for IPs. Otherwise, the collating sequence is in lexicographical order. Some specific examples are:
- Alphabetic strings are sorted lexicographically.
- Punctuation strings are sorted lexicographically.
- Numeric data is sorted as you would expect for numbers and the sort order is specified as ascending or descending.
- Alphanumeric strings are sorted based on the data type of the first character. If the string starts with a number, the string is sorted numerically based on that number alone. Otherwise, strings are sorted lexicographically.
- Strings that are a combination of alphanumeric and punctuation characters are sorted the same way as alphanumeric strings.
In the default automatic mode for a field, the sort order is determined between each pair of values that are compared at any one time. This means that for some pairs of values, the order might be lexicographical, while for other pairs the order might be numerical. For example, if sorting in descending order: 10.1 > 9.1, but 10.1.a < 9.1.a.
Lexicographical order
Lexicographical order sorts items based on the values used to encode the items in computer memory. In Splunk software, this is almost always UTF-8 encoding, which is a superset of ASCII.
- Numbers are sorted before letters. Numbers are sorted based on the first digit. For example, the numbers 10, 9, 70, 100 are sorted lexicographically as 10, 100, 70, 9.
- Uppercase letters are sorted before lowercase letters.
- Symbols are not standard. Some symbols are sorted before numeric values. Other symbols are sorted before or after letters.
You can specify a custom sort order that overrides the lexicographical order. See the blog Order Up! Custom Sort Orders.
Examples
1. Use the sort field options to specify field types
Sort results by "ip" value in ascending order and then sort by the "url" value in descending order.
... | sort num(ip), -str(url)
2. Specifying the number of results to sort
Sort first 100 results in descending order of the "size" field and then by the "source" value in ascending order. This example specifies the type of data in each of the fields. The "size" field contains numbers and the "source" field contains strings.
... | sort 100 -num(size), +str(source)
3. Specifying descending and ascending sort orders
Sort results by the "_time" field in ascending order and then by the "host" value in descending order.
... | sort _time, -host
4. Changing the time format of events for sorting
Change the format of the event's time and sort the results in descending order by the Time field that is created with the eval command.
... | bin _time span=60m | eval Time=strftime(_time, "%m/%d %H:%M %Z") | stats avg(time_taken) AS AverageResponseTime BY Time | sort - Time
(Thanks to Splunk user Ayn for this example.)
5. Specify a custom sort order
Sort a table of results in a specific order, such as days of the week or months of the year, that is not lexicographical or numeric. For example, you have a search that produces the following table:
| Day | Total |
|---|---|
| Friday | 120 |
| Monday | 93 |
| Tuesday | 124 |
| Thursday | 356 |
| Weekend | 1022 |
| Wednesday | 248 |
Sorting on the day field (Day) returns a table sorted alphabetically, which does not make much sense. Instead, you want to sort the table by the day of the week, Monday to Friday. To do this, you first need to create a field (sort_field) that defines the order. Then you can sort on this field.
... | eval wd=lower(Day) | eval sort_field=case(wd=="monday",1, wd=="tuesday",2, wd=="wednesday",3, wd=="thursday",4, wd=="friday",5, wd=="weekend",6) | sort sort_field | fields - sort_field
This search uses the eval command to create the sort_field and the fields command to remove sort_field from the final results table.
(Thanks to Splunk users Ant1D and Ziegfried for this example.)
6. Return the most recent event
Return the most recent event:
... | sort 1 -_time
See also
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the sort command.
|
PREVIOUS snoweventstream |
NEXT spath |
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.4, 6.4.10, 6.4.11, 6.0.1, 6.4.3, 6.4.8, 6.4.9, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.3.0, 7.3.1, 6.4.5, 6.4.6, 6.4.7
Comments
try this yourself:
| makeresults count=9
| streamstats count AS uid
| fields - _time
| eval city=case(uid<4,"B", uid<7,"A", uid<10,"C")
| eval state=case(uid IN (1,6,8),"B", uid IN (2,5,7),"A", uid IN (3,4,9),"C")
| sort city, state desc
Could you please update the docs clarifying 2 things:
1) while "desc" is a valid optional argument, there is no "asc"
2) please stress that "desc" REVERSES order; it does NOT actually sort in descending order (as the name implies) <-- this is super misleading
I have a config file, when imported it is alpha sorted. How can I have the output unsorted (in its original format)?
Thanks.
Sorry if this is really basic.
I have a search followed by a rex sed-mode command and I want to sort the results alphabetically. For example:
logger | rex field=_raw mode=sed s/^bunch of stuff:// | sort +_raw
This doesn't work though. I think it might still be using the substituted portion of the sed command to sort the output.
Any ideas?
Clavelle
Here is what you need for a custom sort order. Assume the field your values is named "status"
... | eval sort_field=case(status="critical",1, status="high",2, status="medium",3,
status="low",4)
| sort sort_field
There are other examples of a custom sort order in the Examples section and also in the documentation for the case function: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/ConditionalFunctions
Is there a way to force it to not sort lexicographically? I need the order "critical, high, medium, low," not "critical, high, low, medium." Thanks!
Helge - Thank you for your feedback. I have forwarded your request to the product team. Please also file an enhancement request through the support portal so we can track your request properly.
I would also love to be able to sort strings case-insensitively. I can see that this has been requested as early as 2012. It should be a simple addition to the command.
Leonjxtan
Thank you for your question. The sort command sorts all of the events in the results from the previous command, and then returns the number specified with the count argument. If the count argument is not specified, the sort command returns the first 10000 of the entire sorted list. If you want all of the events returned, you must specify zero ( 0 ) for the count (for example ... | sort 0 ...
<count>
Syntax: <int>
Description: Specify the number of results to sort. If no count is specified, the default limit of 10000 is used. If "0" is specified, all results are returned.
Default: 10000
-> Does it mean that by default, if i add sort command, it will only return first 10000 rows, not all rows? are these first 10000 rows first before sorting or first after sorting?
example 1 is a bit problematic - using the num option on an ip field when there is an ip option sounds odd - example shows ... | sort num(ip), -str(url
Do not trust auto sort, prefer to specify a format sort num(field) or sort str(field).
Me anand1984, <br /><br />Nope. That really is the only way to do this particular type of sorting.
I'm using the below command today, but would love to find a better way<br /><br />| eval temp=lower(APP) | sort temp | fields APP
I would love to have a way to sort case-insensitively. I see in splunk answers that lot of people are interested in it
Pmalcakdoj
Thank you for pointing this out. You are correct, the description for <desc> was unclear. I have changed the description to explain what this argument really does.