Sort Operator

Overview

Order data with sort. The default sort order is descending.

| sort <field or expression> [asc|desc] [nulls first|nulls last][, ...]

Examples

Example data

let aws_alb = datatable [
  {"p_event_time": "2023-09-16 05:45:34.863", "clientIp": "192.168.11.34", "elbStatusCode": 200, "requestHttpVersion": "HTTP/1.1"},
  {"p_event_time": "2023-09-16 05:59:04.058", "clientIp": "192.168.1.1", "elbStatusCode": 403, "requestHttpVersion": "HTTP/1.1"},
  {"p_event_time": "2023-09-16 05:36:09.017", "clientIp": "10.168.22.7", "elbStatusCode": 404, "requestHttpVersion": "HTTP/2.0"},
  {"p_event_time": "2023-09-16 05:36:09.017", "clientIp": "10.168.22.1", "elbStatusCode": 200, "requestHttpVersion": "HTTP/1.1"}
];

Sort by a single field

aws_alb
| sort p_event_time

p_event_time

clientIp

elbStatusCode

requestHttpVersion

2023-09-16 05:59:04.058

192.168.1.1

403

HTTP/1.1

2023-09-16 05:45:34.863

192.168.11.34

200

HTTP/1.1

2023-09-16 05:36:09.017

10.168.22.1

200

HTTP/1.1

2023-09-16 05:36:09.017

10.168.22.7

404

HTTP/2.0

Sort by multiple fields

You can specify multiple fields to sort by, each with a different sort order

aws_alb
| sort p_event_time asc, clientIp desc

p_event_time

clientIp

elbStatusCode

requestHttpVersion

2023-09-16 05:36:09.017

10.168.22.7

404

HTTP/2.0

2023-09-16 05:36:09.017

10.168.22.1

200

HTTP/1.1

2023-09-16 05:45:34.863

192.168.11.34

200

HTTP/1.1

2023-09-16 05:59:04.058

192.168.1.1

403

HTTP/1.1

PreviousProject Operator NextSearch Operator

Last updated 4 months ago