sort
The sort operator arranges events into order by one or more fields.
Alias: order (order and sort are synonyms.)
Syntax
Scope | sort [ topN=MaxNoOfOutputEvents ] [ maxEvents=MaxNoOfInputEvents ] by Field [ asc | desc ] [ nulls first | nulls last ] [, ...]
Arguments
| Name | Type | Required | Description | 
|---|---|---|---|
| Scope | String | Yes | The events to search. | 
| MaxNoOfOutputEvents | Int | No | Maximum number of events to produce. The output is limited to 10000events, so entering a higher MaxNoOfOutputEvents value effectively sets a limit of10000. | 
| MaxNoOfInputEvents | Int | No | Maximum number of events to handle and arrange. Usually, this value is already determined by the limitoperator used earlier in the query, but you can also set it explicitly here. | 
| Field | String | Yes | Field to sort by. The type of the field values must be numeric, date, time, or string. | 
| ascordesc | String | No | ascsorts into ascending order, low to high. Default isdesc, high to low. For more details, see Sorting Rules. | 
| nulls firstornulls last | String | No | nulls firstwill place the null values at the beginning andnulls lastwill place the null values at the end. Default forascisnulls first. Default fordescisnulls last. | 
Sorting Rules
- Numeric values appear before other data types. An exception to that may be null, whose behavior depends on thenulls first/nulls lastsetting above.
- Numeric strings are converted to numbers when sorted. For example, “100”and“5”are compared as100and5.
- By default: for ascending order, nulls appear first, and for descending order,nulls appear last. You can change this with thenulls first/nulls lastsetting above.
Example
All events with a specific ClientRequestId, sorted by their Timestamp.
dataset=myDataset
| where ClientRequestId == "5a848f70-9996-eb17-15ed-21b8eb94bf0e"
| sort by Timestamp ascSort results by the field event in descending order.
dataset=$vt_dummy event<100
| extend parity=iif(event%2==0, 'even', 'odd')
| order by event desc