sort
Sorts events by the given expressions.
sort [-]expr...Description
Sorts events by the given expressions, putting all null values at the end.
If multiple expressions are specified, the sorting happens lexicographically, that is: Later expressions are only considered if all previous expressions evaluate to equal values.
This operator performs a stable sort (preserves relative ordering when all expressions evaluate to the same value).
Take care when using this operator with large inputs.
[-]expr
An expression that is evaluated for each event. Normally, events are sorted in ascending order. If the expression starts with -, descending order is used instead. In both cases, null is put last.
Examples
Sort by the timestamp field in ascending order.
sort timestampSort by the timestamp field in descending order.
sort -timestampSort by the field src_ip and, in case of matching values, sort by dest_ip.
sort src_ip, dest_ipSort by the field src_ip in ascending order and by the field dest_ip in
descending order.
sort src_ip, -dest_ip