This page explains how to use the sort operator function in APL.
The sort operator in APL arranges the rows of a result set based on one or more fields in ascending or descending order. You can use it to organize your data logically or optimize subsequent operations that depend on ordered data. This operator is useful when analyzing logs, traces, or any dataset where the order of results matters, such as when you’re interested in top or bottom performers, chronological sequences, or sorting by status codes.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
Splunk SPL users
Splunk SPL users
In Splunk SPL, the equivalent of sort is the sort command, which orders search results based on one or more fields. However, in APL, you must explicitly specify the sorting direction for each field, and sorting by multiple fields requires chaining them with commas.
ANSI SQL users
ANSI SQL users
In SQL, sorting is done using the ORDER BY clause. The APL sort operator behaves similarly but uses the by keyword instead of ORDER BY. Additionally, APL requires specifying the order direction (asc or desc) explicitly for each field.
Usage
Syntax
Parameters
Field1,Field2, …: The fields to sort by.- [asc | desc]: Specify the sorting direction for each field as either
ascfor ascending order ordescfor descending order.
Returns
A table with rows ordered based on the specified fields.
Use sort and project together
When you use project and sort in the same query, ensure you project the fields that you want to sort on. Similarly, when you use project-away and sort in the same query, ensure you don’t remove the fields that you want to sort on.
The above is also true for time fields. For example, to project the field status and sort on the field _time, project both fields similarly to the query below:
Use case examples
Sorting HTTP logs by request duration and then by status code is useful to identify slow requests and their corresponding statuses.
Query
Output
| _time | req_duration_ms | id | status | uri | method | geo.city | geo.country |
|---|---|---|---|---|---|---|---|
| 2024-10-18 12:34:56 | 5000 | abc1 | 500 | /api/data | GET | New York | US |
| 2024-10-18 12:35:56 | 4500 | abc2 | 200 | /api/users | POST | London | UK |
The query sorts the HTTP logs by the duration of each request in descending order, showing the longest-running requests at the top. If two requests have the same duration, they are sorted by status code in ascending order.
Sorting HTTP logs by request duration and then by status code is useful to identify slow requests and their corresponding statuses.
Query
Output
| _time | req_duration_ms | id | status | uri | method | geo.city | geo.country |
|---|---|---|---|---|---|---|---|
| 2024-10-18 12:34:56 | 5000 | abc1 | 500 | /api/data | GET | New York | US |
| 2024-10-18 12:35:56 | 4500 | abc2 | 200 | /api/users | POST | London | UK |
The query sorts the HTTP logs by the duration of each request in descending order, showing the longest-running requests at the top. If two requests have the same duration, they are sorted by status code in ascending order.
Sorting OpenTelemetry traces by span duration helps identify the longest-running spans within a specific service.
Query
Output
| _time | duration | span_id | trace_id | service.name | kind | status_code |
|---|---|---|---|---|---|---|
| 2024-10-18 12:36:56 | 00:00:15 | span1 | trace1 | frontend | server | 200 |
| 2024-10-18 12:37:56 | 00:00:14 | span2 | trace2 | cartservice | client | 500 |
This query sorts spans by their duration in descending order, with the longest spans at the top, followed by the service name in ascending order.
Sorting security logs by status code and then by timestamp can help in investigating recent failed requests.
Query
Output
| _time | req_duration_ms | id | status | uri | method | geo.city | geo.country |
|---|---|---|---|---|---|---|---|
| 2024-10-18 12:40:56 | 3000 | abc3 | 400 | /api/login | POST | Toronto | CA |
| 2024-10-18 12:39:56 | 2000 | abc4 | 400 | /api/auth | GET | Berlin | DE |
This query sorts security logs by status code first (in ascending order) and then by the most recent events.
List of related operators
- top: Use
topto return a specified number of rows with the highest or lowest values, but unlikesort,toplimits the result set. - project: Use
projectto select and reorder fields without changing the order of rows. - extend: Use
extendto create calculated fields that can then be used in conjunction withsortto refine your results. - summarize: Use
summarizeto group and aggregate data before applyingsortfor detailed analysis.