The sort operator orders aggregated search results. The default sort order is descending.
Then you can use the top or limit operators to reduce the number of sorted results returned.
Order is also synonymous with sort. You can use them interchangeably in your queries.
... | sort by fieldname (displays results as descending, by default)
... | sort by +fieldname (displays results as ascending)
... | sort by fieldname asc (displays results as ascending)
... | sort by fieldA, fieldB
... | top # fieldname by group_by_function
- Default sort order is descending.
- To reverse the sort order to ascending, type a plus sign (+) before the field name you are sorting by. Alternatively, you can type asc after the field name.
- To numerically sort, first cast the field to a number. (Otherwise, the sort will be ordered as a text field.)
status AND down | extract "user=(?<user>.*?):" | count (*) group by user | sort by _count
... | count user | top 2 user by _count
... | count user | sort by _count asc
Top 10 pages by page hits.
In this example, you can count page hits by the source and host, then sort by page hits, and limit the results to the top 10.
| count as page_hits by _sourceHost
| sort by page_hits
| limit 10
which provides results like: