> For the complete documentation index, see [llms.txt](https://docs.panther.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.panther.com/ko/pantherflow/operators/sort.md). # Sort 연산자 ## 개요 다음 기준으로 데이터를 정렬 `정렬`. 기본 정렬 순서는 내림차순입니다. ```kusto | sort [asc|desc] [nulls first|nulls last][, ...] ``` ## 예시 {% hint style="info" %} 예제 데이터 ```kusto let aws_alb = datatable [ {"p_event_time": "2023-09-16 05:45:34.863", "clientIp": "192.168.11.34", "elbStatusCode": 200, "requestHttpVersion": "HTTP/1.1"}, {"p_event_time": "2023-09-16 05:59:04.058", "clientIp": "192.168.1.1", "elbStatusCode": 403, "requestHttpVersion": "HTTP/1.1"}, {"p_event_time": "2023-09-16 05:36:09.017", "clientIp": "10.168.22.7", "elbStatusCode": 404, "requestHttpVersion": "HTTP/2.0"}, {"p_event_time": "2023-09-16 05:36:09.017", "clientIp": "10.168.22.1", "elbStatusCode": 200, "requestHttpVersion": "HTTP/1.1"} ]; ``` {% endhint %} ### 단일 필드로 정렬 ```kusto aws_alb | sort p_event_time ```
이벤트
{ "p_event_time": "2023-09-16 05:59:04.058", "clientIp": "192.168.1.1", "elbStatusCode": 403, "requestHttpVersion": "HTTP/1.1" }
{ "p_event_time": "2023-09-16 05:45:34.863", "clientIp": "192.168.11.34", "elbStatusCode": 200, "requestHttpVersion": "HTTP/1.1" }
{ "p_event_time": "2023-09-16 05:36:09.017", "clientIp": "10.168.22.1", "elbStatusCode": 200, "requestHttpVersion": "HTTP/1.1" }
{ "p_event_time": "2023-09-16 05:36:09.017", "clientIp": "10.168.22.7", "elbStatusCode": 404, "requestHttpVersion": "HTTP/2.0" }
### 여러 필드로 정렬 정렬 기준으로 여러 필드를 지정할 수 있으며, 각 필드는 서로 다른 정렬 순서를 가질 수 있습니다 ```kusto aws_alb | sort p_event_time asc, clientIp desc ```
이벤트
{ "p_event_time": "2023-09-16 05:36:09.017", "clientIp": "10.168.22.7", "elbStatusCode": 404, "requestHttpVersion": "HTTP/2.0" }
{ "p_event_time": "2023-09-16 05:36:09.017", "clientIp": "10.168.22.1", "elbStatusCode": 200, "requestHttpVersion": "HTTP/1.1" }
{ "p_event_time": "2023-09-16 05:45:34.863", "clientIp": "192.168.11.34", "elbStatusCode": 200, "requestHttpVersion": "HTTP/1.1" }
{ "p_event_time": "2023-09-16 05:59:04.058", "clientIp": "192.168.1.1", "elbStatusCode": 403, "requestHttpVersion": "HTTP/1.1" }
### 알러트 심각도별 정렬 알러트를 쿼리하고 결과를 심각도별로 정렬할 때, 실제 심각도 순서(즉, `치명적` > `HIGH` > `MEDIUM` > `낮음` > `INFO`, 또는 그 역순)으로 정렬하려는 경우가 많습니다. 그러나 다음과 같은 절을 단순히 사용하면 `| sort severity`, 심각도 정렬은 알파벳순으로 수행됩니다. 실제 심각도 순서로 정렬하려면 다음을 활용하세요 [`case` 함수](/ko/pantherflow/functions/control-flow.md#case) 다음과 같이: ```kusto | extend severity_sort_key = case(severity == "CRITICAL", 5, severity == "HIGH", 4, severity == "MEDIUM", 3, severity == "LOW", 2, severity == "INFO", 1) | sort severity_sort_key ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.panther.com/ko/pantherflow/operators/sort.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.