_sort is a query directive used to sort the result set.


The generic syntax of the _sort directive is as given below:

_sort by <$Field> [ ASC | DESC ]


  • $Field is the field based on which the result set is sorted.
  • ASC | DESC indicates the order of sorting (ascending or descending).


Take a look at the example given below:

_fetch * from event where $LogType=WEBSERVER group count_unique $SrcIP limit 10
>>_sort by count_unique ASC


1. The _fetch directive retrieves all fields for each event in the event index where $LogType is WEBSERVER. The result set is grouped by unique values of $SrcIP along with their individual row count.

NOTE: The number of events fetched by the _fetch directive is limited to the duration specified in the Date Selector date selector on the Search page. By default, the duration is the last 24 hours.

The result set is sorted in the descending order of count_unique (by default). It is then limited to 100 rows. The output is as shown below:

resultset of the fetch query function

2. In the pipelined query function, the _sort directive reorders the result set in the ascending order of count_unique using the ASC keyword. The output is as shown below:

resultset of the sort query function

NOTE: You can also sort an alphanumeric field in ascending (a to z) or descending (z to a) order.