The sort command sorts the search results by the specified fields.
The sort command supports two syntax notations. You must use one notation consistently within a single sort command.
The sort command has the following syntax in prefix notation:
sort [<count>] [+|-] <field> [, [+|-] <field>]...The sort command has the following syntax in suffix notation:
sort [<count>] <field> [asc|desc|a|d] [, <field> [asc|desc|a|d]]...The sort command supports the following parameters.
| Parameter | Required/Optional | Description |
|---|---|---|
<field> |
Required | The field used to sort. Use auto(field), str(field), ip(field), or num(field) to specify how to interpret field values. Multiple fields can be specified as a comma-separated list. |
<count> |
Optional | The number of results to return. A value of 0 or less returns all results. Default is 0. |
| `[+ | -]` | Optional |
| `[asc | desc | a |
The following query sorts logs by severity number in ascending order, showing the least severe entries first:
source=otellogs
| sort severityNumber
| fields severityText, severityNumber, `resource.attributes.service.name`
| head 4
The query returns the following results:
fetched rows / total rows = 4/4
+--------------+----------------+----------------------------------+
| severityText | severityNumber | resource.attributes.service.name |
|--------------+----------------+----------------------------------|
| DEBUG | 5 | cart |
| DEBUG | 5 | product-catalog |
| DEBUG | 5 | cart |
| INFO | 9 | frontend |
+--------------+----------------+----------------------------------+
The following query sorts logs by severity in descending order to surface the most critical issues first. You can use either prefix notation (- severityNumber) or suffix notation (severityNumber desc):
source=otellogs
| dedup severityText
| sort - severityNumber
| fields severityText, severityNumber
This query is equivalent to the following query:
source=otellogs
| dedup severityText
| sort severityNumber desc
| fields severityText, severityNumber
The query returns the following results:
fetched rows / total rows = 4/4
+--------------+----------------+
| severityText | severityNumber |
|--------------+----------------|
| ERROR | 17 |
| WARN | 13 |
| INFO | 9 |
| DEBUG | 5 |
+--------------+----------------+
The following query sorts errors by severity descending and service name ascending, so the most critical issues appear first and services are alphabetical within each severity level. You can use either prefix notation (+/-) or suffix notation (asc/desc):
source=otellogs
| dedup severityText, `resource.attributes.service.name`
| sort + severityNumber, - `resource.attributes.service.name`
| fields severityText, severityNumber, `resource.attributes.service.name`
| head 5
The query returns the following results:
fetched rows / total rows = 5/5
+--------------+----------------+----------------------------------+
| severityText | severityNumber | resource.attributes.service.name |
|--------------+----------------+----------------------------------|
| DEBUG | 5 | product-catalog |
| DEBUG | 5 | cart |
| INFO | 9 | frontend |
| INFO | 9 | checkout |
| INFO | 9 | cart |
+--------------+----------------+----------------------------------+
The equivalent query using suffix notation is:
source=otellogs
| dedup severityText, `resource.attributes.service.name`
| sort severityNumber asc, `resource.attributes.service.name` desc
| fields severityText, severityNumber, `resource.attributes.service.name`
| head 5
The query returns the following results:
fetched rows / total rows = 5/5
+--------------+----------------+----------------------------------+
| severityText | severityNumber | resource.attributes.service.name |
|--------------+----------------+----------------------------------|
| DEBUG | 5 | product-catalog |
| DEBUG | 5 | cart |
| INFO | 9 | frontend |
| INFO | 9 | checkout |
| INFO | 9 | cart |
+--------------+----------------+----------------------------------+
The default ascending order lists null values first. The following query sorts by the instrumentationScope.name field, showing that logs without instrumentation metadata appear before instrumented ones:
source=otellogs
| sort instrumentationScope.name
| fields instrumentationScope.name, severityText
| head 6
The query returns the following results:
fetched rows / total rows = 6/6
+---------------------------+--------------+
| instrumentationScope.name | severityText |
|---------------------------+--------------|
| null | DEBUG |
| null | ERROR |
| null | INFO |
| null | ERROR |
| null | WARN |
| null | INFO |
+---------------------------+--------------+
The following query sorts all logs by severity and returns only the 3 least severe entries:
source=otellogs
| sort 3 severityNumber
| fields severityText, severityNumber
The query returns the following results:
fetched rows / total rows = 3/3
+--------------+----------------+
| severityText | severityNumber |
|--------------+----------------|
| DEBUG | 5 |
| DEBUG | 5 |
| DEBUG | 5 |
+--------------+----------------+
The following query uses str() to sort severity numbers lexicographically instead of numerically. Notice that 5 and 9 appear after 21 because string sorting compares character by character:
source=otellogs
| dedup severityText
| sort str(severityNumber)
| fields severityText, severityNumber
The query returns the following results:
fetched rows / total rows = 4/4
+--------------+----------------+
| severityText | severityNumber |
|--------------+----------------|
| WARN | 13 |
| ERROR | 17 |
| DEBUG | 5 |
| INFO | 9 |
+--------------+----------------+