sort
Description
Section titled “Description”The sort command orders search results by one or more fields. It supports ascending and descending order, multiple sort keys, null value ordering, and type-specific sorting functions. Use it to find top-N results, order events chronologically, or rank aggregated data.
PPL supports two notation styles for specifying sort direction — prefix notation (+ field / - field) and suffix notation (field asc / field desc). Both produce identical results; choose whichever reads more clearly for your query. You must use one notation style consistently within a single sort command.
Syntax
Section titled “Syntax”Prefix notation
Section titled “Prefix notation”sort [<count>] [+|-] <field> [, [+|-] <field>]...Suffix notation
Section titled “Suffix notation”sort [<count>] <field> [asc|desc|a|d] [, <field> [asc|desc|a|d]]...Arguments
Section titled “Arguments”| Parameter | Required | Description |
|---|---|---|
<field> | Yes | The field to sort by. Multiple fields are comma-separated; earlier fields take priority. Use auto(field), str(field), ip(field), or num(field) to control how values are interpreted. |
+ / - | No | Prefix notation only. + for ascending (default), - for descending. |
asc / desc | No | Suffix notation only. asc (or a) for ascending (default), desc (or d) for descending. |
<count> | No | Maximum number of results to return. 0 or omitted returns all results. Equivalent to piping through head. |
Usage notes
Section titled “Usage notes”-
Default order is ascending: If you omit the direction indicator, results are sorted in ascending order (smallest/earliest first).
-
Null and missing values: Null values sort first in ascending order and last in descending order. This is important when sorting fields that may not exist on every document.
-
Type-specific sort functions: Control how field values are compared:
auto(field)— automatic type detection (default behavior).str(field)— sort as strings (lexicographic). Useful for sorting numeric fields as text (e.g.str(severityNumber)makes"17"come before"9").num(field)— sort as numbers.ip(field)— sort as IP addresses.
-
Count parameter for top-N queries:
sort 10 - durationInNanosreturns only the 10 spans with the highest duration. This is more efficient thansort - durationInNanos | head 10because it can optimize internally. -
Multi-field sorting: Fields are evaluated left to right. If two records tie on the first field, the second field breaks the tie, and so on.
-
Performance: Sorting large result sets is memory-intensive because all matching documents must be held and compared. For large datasets, combine
sortwithstatsaggregation or useheadto limit results. Sorting afterstats(which typically produces fewer rows) is much cheaper than sorting raw events. -
Do not mix notations: Use either prefix or suffix notation within a single
sortcommand — mixing- severityNumber, serviceName descin one command is not supported.
Basic examples
Section titled “Basic examples”Sort ascending (default)
Section titled “Sort ascending (default)”source = logs-otel-v1*| sort severityNumberSort descending with prefix notation
Section titled “Sort descending with prefix notation”source = logs-otel-v1*| sort - severityNumberMulti-field sort
Section titled “Multi-field sort”Sort by service name ascending, then by severity descending:
source = logs-otel-v1*| sort + `resource.attributes.service.name`, - severityNumberThis is equivalent in suffix notation:
source = logs-otel-v1*| sort `resource.attributes.service.name` asc, severityNumber descLimit results with count
Section titled “Limit results with count”Return only the 2 most recent log entries:
source = logs-otel-v1*| sort 2 - timeLexicographic sort with str()
Section titled “Lexicographic sort with str()”Sort numeric severity as strings (lexicographic order):
source = logs-otel-v1*| sort str(severityNumber)Extended examples
Section titled “Extended examples”OTel: Most recent error logs
Section titled “OTel: Most recent error logs”Retrieve the 20 most recent error logs across all services, sorted by timestamp descending.
| where severityText = 'ERROR'| sort - time| head 20OTel: Services with the most log volume
Section titled “OTel: Services with the most log volume”Aggregate log counts by service, then sort to find the noisiest services.
| stats count() as log_count by `resource.attributes.service.name`| sort - log_count