order
The order operator arranges events into order by one or more fields.
Alias: sort (sort and order are synonyms.)
Syntax
Scope | order [ topN=MaxNoOfOutputEvents ] [ maxEvents=MaxNoOfInputEvents ] by Field [ asc | desc ] [ nulls first | nulls last ] [, ...]
Arguments
| Name | Type | Required | Description |
|---|---|---|---|
| Scope | String | Yes | The events to search. |
| MaxNoOfOutputEvents | Int | No | Maximum number of events to produce. |
| MaxNoOfInputEvents | Int | No | Maximum number of events to handle and arrange. Usually, this value is already determined by the limit operator used earlier in the query, but you can also set it explicitly here. |
| Field | String | Yes | Field to sort by. The type of the field values must be numeric, date, time, or string. |
asc or desc | String | No | asc sorts into ascending order, low to high. Default is desc, high to low. For more details, see Sorting Rules. |
nulls first or nulls last | String | No | nulls first will place the null values at the beginning and nulls last will place the null values at the end. Default for asc is nulls first. Default for desc is nulls last. |
Sorting Rules
- Numeric values appear before other data types. An exception to that may be
null, whose behavior depends on thenulls first/nulls lastsetting above. - Numeric strings are converted to numbers when sorted. For example,
“100”and“5”are compared as100and5. - By default: for ascending order,
nulls appear first, and for descending order,nulls appear last. You can change this with thenulls first/nulls lastsetting above.
Example
All events with a specific ClientRequestId, ordered by their Timestamp.
dataset=myDataset
| where ClientRequestId == "5a848f70-9996-eb17-15ed-21b8eb94bf0e"
| order by Timestamp ascOrder results by the field event in descending order.
dataset=$vt_dummy event<100
| extend parity=iif(event%2==0, 'even', 'odd')
| order by event desc