# Sort 연산자

## 개요

다음으로 데이터를 정렬합니다. `정렬`. 기본 정렬 순서는 내림차순입니다.

```kusto
| sort <field or expression> [asc|desc] [nulls first|nulls last][, ...]
```

## 예시

{% hint style="info" %}
예시 데이터

```kusto
let aws_alb = datatable [
  {"p_event_time": "2023-09-16 05:45:34.863", "clientIp": "192.168.11.34", "elbStatusCode": 200, "requestHttpVersion": "HTTP/1.1"},
  {"p_event_time": "2023-09-16 05:59:04.058", "clientIp": "192.168.1.1", "elbStatusCode": 403, "requestHttpVersion": "HTTP/1.1"},
  {"p_event_time": "2023-09-16 05:36:09.017", "clientIp": "10.168.22.7", "elbStatusCode": 404, "requestHttpVersion": "HTTP/2.0"},
  {"p_event_time": "2023-09-16 05:36:09.017", "clientIp": "10.168.22.1", "elbStatusCode": 200, "requestHttpVersion": "HTTP/1.1"}
];
```

{% endhint %}

### 단일 필드로 정렬

```kusto
aws_alb
| sort p_event_time
```

<table><thead><tr><th width="756.72265625">이벤트</th></tr></thead><tbody><tr><td><code>{ "p_event_time": "2023-09-16 05:59:04.058", "clientIp": "192.168.1.1", "elbStatusCode": 403, "requestHttpVersion": "HTTP/1.1" }</code></td></tr><tr><td><code>{ "p_event_time": "2023-09-16 05:45:34.863", "clientIp": "192.168.11.34", "elbStatusCode": 200, "requestHttpVersion": "HTTP/1.1" }</code></td></tr><tr><td><code>{ "p_event_time": "2023-09-16 05:36:09.017", "clientIp": "10.168.22.1", "elbStatusCode": 200, "requestHttpVersion": "HTTP/1.1" }</code></td></tr><tr><td><code>{ "p_event_time": "2023-09-16 05:36:09.017", "clientIp": "10.168.22.7", "elbStatusCode": 404, "requestHttpVersion": "HTTP/2.0" }</code></td></tr></tbody></table>

### 여러 필드로 정렬

각기 다른 정렬 순서로 여러 필드를 지정하여 정렬할 수 있습니다

```kusto
aws_alb
| sort p_event_time asc, clientIp desc
```

<table><thead><tr><th width="736.3779296875">이벤트</th></tr></thead><tbody><tr><td><code>{ "p_event_time": "2023-09-16 05:36:09.017", "clientIp": "10.168.22.7", "elbStatusCode": 404, "requestHttpVersion": "HTTP/2.0" }</code></td></tr><tr><td><code>{ "p_event_time": "2023-09-16 05:36:09.017", "clientIp": "10.168.22.1", "elbStatusCode": 200, "requestHttpVersion": "HTTP/1.1" }</code></td></tr><tr><td><code>{ "p_event_time": "2023-09-16 05:45:34.863", "clientIp": "192.168.11.34", "elbStatusCode": 200, "requestHttpVersion": "HTTP/1.1" }</code></td></tr><tr><td><code>{ "p_event_time": "2023-09-16 05:59:04.058", "clientIp": "192.168.1.1", "elbStatusCode": 403, "requestHttpVersion": "HTTP/1.1" }</code></td></tr></tbody></table>

### 알러트 심각도별 정렬

알러트를 쿼리하고 심각도별로 결과를 정렬할 때는, 실제 심각도 순서로 정렬하려는 경우가 흔합니다(즉, `CRITICAL` > `HIGH` > `MEDIUM` > `LOW` > `INFO`또는 그 반대). 그러나 단순히 다음과 같은 절을 사용하면 `| sort severity`, 심각도 정렬은 알파벳순으로 수행됩니다.

실제 심각도 순서로 정렬하려면 [`case` 함수](/ko/pantherflow/functions/control-flow.md#case) 를 다음과 같이 활용합니다:

```kusto
| extend severity_sort_key = case(severity == "CRITICAL", 5, severity == "HIGH", 4, severity == "MEDIUM", 3, severity == "LOW", 2, severity == "INFO", 1)
| sort severity_sort_key
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.panther.com/ko/pantherflow/operators/sort.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.