Use: The sort command sorts all of the results by the specified fields. Results missing a given field are treated as having the smallest or largest possible value of that field if the order is descending or ascending, respectively.
Alphabetic strings are sorted lexicographically.
Punctuation strings are sorted lexicographically.
Numeric data is sorted as you would expect for numbers and the sort order is specified as ascending or descending.
Alphanumeric strings are sorted based on the data type of the first character. If the string starts with a number, the string is sorted numerically based on that number alone. Otherwise, strings are sorted lexicographically.
Strings that are a combination of alphanumeric and punctuation characters are sorted the same way as alphanumeric strings.
Sort results by "ip" value in ascending order and then sort by the "url" value in descending order.
... | sort num(ip), -str(url)
Sort first 100 results in descending order of the "size" field and then by the "source" value in ascending order. This example specifies the type of data in each of the fields. The "size" field contains numbers and the "source" field contains strings.
... | sort 100 -num(size), +str(source)
Sort results by the "_time" field in ascending order and then by the "host" value in descending order.
... | sort _time, -host
Change the format of the event's time and sort the results in descending order by the Time field that is created with the eval command.
... | bin _time span=60m | eval Time=strftime(_time, "%m/%d %H:%M %Z") | stats avg(time_taken) AS AverageResponseTime BY Time | sort - Time
Sort a table of results in a specific order, such as days of the week or months of the year, that is not lexicographical or numeric. For example, you have a search that produces the following table:
