# Sort Operator ## Overview Order data with `sort`. The default sort order is descending. ```kusto | sort [asc|desc] [nulls first|nulls last][, ...] ``` ## Examples {% hint style="info" %} Example data ```kusto let aws_alb = datatable [ {"p_event_time": "2023-09-16 05:45:34.863", "clientIp": "192.168.11.34", "elbStatusCode": 200, "requestHttpVersion": "HTTP/1.1"}, {"p_event_time": "2023-09-16 05:59:04.058", "clientIp": "192.168.1.1", "elbStatusCode": 403, "requestHttpVersion": "HTTP/1.1"}, {"p_event_time": "2023-09-16 05:36:09.017", "clientIp": "10.168.22.7", "elbStatusCode": 404, "requestHttpVersion": "HTTP/2.0"}, {"p_event_time": "2023-09-16 05:36:09.017", "clientIp": "10.168.22.1", "elbStatusCode": 200, "requestHttpVersion": "HTTP/1.1"} ]; ``` {% endhint %} ### Sort by a single field ```kusto aws_alb | sort p_event_time ```
EVENT
{ "p_event_time": "2023-09-16 05:59:04.058", "clientIp": "192.168.1.1", "elbStatusCode": 403, "requestHttpVersion": "HTTP/1.1" }
{ "p_event_time": "2023-09-16 05:45:34.863", "clientIp": "192.168.11.34", "elbStatusCode": 200, "requestHttpVersion": "HTTP/1.1" }
{ "p_event_time": "2023-09-16 05:36:09.017", "clientIp": "10.168.22.1", "elbStatusCode": 200, "requestHttpVersion": "HTTP/1.1" }
{ "p_event_time": "2023-09-16 05:36:09.017", "clientIp": "10.168.22.7", "elbStatusCode": 404, "requestHttpVersion": "HTTP/2.0" }
### Sort by multiple fields You can specify multiple fields to sort by, each with a different sort order ```kusto aws_alb | sort p_event_time asc, clientIp desc ```
EVENT
{ "p_event_time": "2023-09-16 05:36:09.017", "clientIp": "10.168.22.7", "elbStatusCode": 404, "requestHttpVersion": "HTTP/2.0" }
{ "p_event_time": "2023-09-16 05:36:09.017", "clientIp": "10.168.22.1", "elbStatusCode": 200, "requestHttpVersion": "HTTP/1.1" }
{ "p_event_time": "2023-09-16 05:45:34.863", "clientIp": "192.168.11.34", "elbStatusCode": 200, "requestHttpVersion": "HTTP/1.1" }
{ "p_event_time": "2023-09-16 05:59:04.058", "clientIp": "192.168.1.1", "elbStatusCode": 403, "requestHttpVersion": "HTTP/1.1" }
### Sort by alert severity When querying alerts and sorting results by severity, it's common to intend to sort in true severity order (i.e., `CRITICAL` > `HIGH` > `MEDIUM` > `LOW` > `INFO`, or the reverse). However, if you simply use a clause like `| sort severity`, severity sorting will be performed alphabetically. To sort in true severity order, leverage the [`case` function](https://docs.panther.com/functions/control-flow#case) like the following: ```kusto | extend severity_sort_key = case(severity == "CRITICAL", 5, severity == "HIGH", 4, severity == "MEDIUM", 3, severity == "LOW", 2, severity == "INFO", 1) | sort severity_sort_key ```