Scalar functions
sort operator
Sorts the rows of the dataset into an order by one or more columns(fields). The default behavior of the sort operator depends on how you configure and run your query:
- If a sort field is specified but not a direction, the direction defaults to
desc. - If the sort operator is omitted entirely from the query, the query defaults to sort by
_time asc.
Syntax
| sort by Expression [asc | desc] [, ...]Arguments
| name | type | description |
|---|---|---|
| expression | expression | A scalar expression by which to sort. The value type must be numeric, date, time or string. |
| asc | string | Sort by into ascending order, low to high. |
| desc | string | Sort by into descending order, high to low. |
Examples
Default Behavior When Sort Field Specified Without Direction
In this example, the sortn operator is used with a specified sort field but without a sort direction, thus it defaults to descending order (desc).
['sample-http-logs']
| where method == 'GET'
| sort by _timeDefault Behavior When Sort Operator Omitted
In this case, no sort operator is included in the query. Consequently, the dataset defaults to sorting by _time in ascending order (asc).
['sample-http-logs']
| where method == 'GET'Specifying Ascending Order
In this example, the asc option is used to sort the data in ascending order.
['sample-http-logs']
| where method == 'GET'
| sort by _time ascSpecifying Descending Order
To specify a descending order sort, use the desc option, as shown in this example:
['sample-http-logs']
| where method == 'GET'
| sort by _time desc
