sort
Sorts events by the given expressions.
sort [-]expr...Description
Section titled “Description”Sorts events by the given expressions, putting all null values at the end.
If multiple expressions are specified, the sorting happens lexicographically, that is: Later expressions are only considered if all previous expressions evaluate to equal values.
This operator performs a stable sort (preserves relative ordering when all expressions evaluate to the same value).
[-]expr
Section titled “[-]expr”An expression that is evaluated for each event. Normally, events are sorted in
ascending order. If the expression starts with -, descending order is used
instead. In both cases, null is put last.
Examples
Section titled “Examples”Sort by a field in ascending order
Section titled “Sort by a field in ascending order”sort timestampSort by a field in descending order
Section titled “Sort by a field in descending order”sort -timestampSort by multiple fields
Section titled “Sort by multiple fields”Sort by a field src_ip and, in case of matching values, sort by dest_ip:
sort src_ip, dest_ipSort by the field src_ip in ascending order and by the field dest_ip in
descending order.
sort src_ip, -dest_ip