nano SIEM
Search Commands

sort

sort

Order search results by one or more fields in ascending or descending order.

Description

The sort command arranges results based on field values. You can sort by multiple fields with different sort orders, and specify whether to sort ascending (smallest to largest) or descending (largest to smallest).

Sorting is particularly useful after aggregations to identify top or bottom values, or to organize time-series data chronologically.

Syntax

... | sort [+|-]<field> [[+|-]<field> ...] [limit=<int>]

Or with explicit direction:

... | sort <field> [asc|desc] [, <field> [asc|desc] ...] [limit=<int>]

Required Arguments

field
One or more fields to sort by. Evaluated left to right (first field is primary sort).

Optional Arguments

Direction prefix
Syntax: + or - before field name
Description: + for ascending (default), - for descending
Example: -count sorts count from high to low

Direction keyword
Syntax: asc or desc after field name
Description: asc for ascending (default), desc for descending
Example: count desc

limit
Syntax: limit=<int>
Description: Return only the first N sorted results
Default: All results

Examples

Sort by single field (ascending)

* | stats count() by user
  | sort count

Shows users ordered by event count, lowest first.

Sort descending

* | stats count() by user
  | sort -count

Shows users ordered by event count, highest first.

Sort with desc keyword

* | stats count() by user
  | sort count desc

Alternative syntax for descending sort.

Sort by multiple fields

* | stats count() by severity, user
  | sort -severity, user

Sorts by severity (high to low), then by user (A to Z) within each severity.

Mixed sort directions

* | stats count() as events, avg(bytes) as avg_bytes by src_ip
  | sort -events, +avg_bytes

Sorts by events descending, then avg_bytes ascending.

Sort with limit

* | stats count() by endpoint
  | sort -count limit=10

Returns only the top 10 endpoints by count.

Sort timestamps

* | sort timestamp

Orders events chronologically, oldest first.

Sort timestamps descending

* | sort -timestamp

Orders events chronologically, newest first.

Sort aggregated time series

* | bin span=1h
  | stats count() by time_bucket
  | sort time_bucket

Orders time buckets chronologically.

Find slowest endpoints

* | stats avg(response_time) as avg_time by endpoint
  | sort -avg_time limit=5

Shows the 5 slowest endpoints.

Find most active users

* | stats count() as events,
         sum(bytes) as total_bytes
  by user
  | sort -events, -total_bytes

Sorts by events first, then bytes (both descending).

Alphabetical sorting

* | stats count() by user
  | sort user

Sorts users alphabetically.

Sort by calculated field

* | stats sum(bytes_in) as inbound,
         sum(bytes_out) as outbound
  by src_ip
  | eval ratio = outbound / inbound
  | sort -ratio

Sorts by eval-calculated ratio field.

Find least common values

* | stats count() by dest_port
  | sort count limit=10

Shows the 10 least common destination ports.

Multi-level grouping sort

* | stats count() by severity, category, user
  | sort -severity, category, -count

Complex multi-field sort with mixed directions.

Sort with null handling

* | stats count() by enriched_src_country
  | sort enriched_src_country

Null values typically sort first (ascending) or last (descending).

Usage Notes

Default order: Without a prefix or keyword, sort is ascending (A-Z, 0-9, oldest to newest).

Multiple fields: When sorting by multiple fields, the first field is the primary sort. Subsequent fields break ties.

Performance: Sorting large result sets can be expensive. Use limit to reduce overhead when you only need top/bottom results.

Null values: Fields with null values are typically sorted to the beginning (ascending) or end (descending).

String sorting: String fields sort lexicographically (dictionary order). "10" comes before "2" in string sort.

Numeric sorting: Numeric fields sort numerically. 2 comes before 10.

Case sensitivity: String sorting is case-sensitive by default. "Apple" comes before "apple".

Memory usage: Sorting requires holding results in memory. Very large result sets may impact performance.

Alternative to limit: Instead of sort ... limit=N, consider using head or tail commands after sort for clarity.

  • stats - Aggregate data before sorting
  • head - Get first N results after sorting
  • tail - Get last N results after sorting
  • top - Automatically sort and limit by most common values
  • rare - Automatically sort and limit by least common values

sequence

Previous Page

spath

Next Page

Edit this page on GitHub
On this page

On this page

sort
Description
Syntax
Required Arguments
Optional Arguments
Examples
Sort by single field (ascending)
Sort descending
Sort with desc keyword
Sort by multiple fields
Mixed sort directions
Sort with limit
Sort timestamps
Sort timestamps descending
Sort aggregated time series
Find slowest endpoints
Find most active users
Alphabetical sorting
Sort by calculated field
Find least common values
Multi-level grouping sort
Sort with null handling
Usage Notes
Related Commands