sort

Version: v4.27
sort
Sorts events by the given expressions.
sort [-]expr...
Description
Sorts events by the given expressions, putting all null values at the end.
If multiple expressions are specified, the sorting happens lexicographically, that is: Later expressions are only considered if all previous expressions evaluate to equal values.
This operator performs a stable sort (preserves relative ordering when all expressions evaluate to the same value).
Potentially High Memory Usage
Take care when using this operator with large inputs.
[-]expr
An expression that is evaluated for each event. Normally, events are sorted in ascending order. If the expression starts with -, descending order is used instead. In both cases, null is put last.
Examples
Sort by a field in ascending order
sort timestamp
Sort by a field in descending order
sort -timestamp
Sort by multiple fields
Sort by a field src_ip and, in case of matching values, sort by dest_ip:
sort src_ip, dest_ip
Sort by the field src_ip in ascending order and by the field dest_ip in descending order.
sort src_ip, -dest_ip
Edit this page

Description​

[-]expr​

Examples​

Sort by a field in ascending order​

Sort by a field in descending order​

Sort by multiple fields​

Description

`[-]expr`

Examples

Sort by a field in ascending order

Sort by a field in descending order

Sort by multiple fields