Contribute in GitHub:

sort operator

Sort the rows of the input table into order by one or more columns.

events | sort by original_time desc

Alias

order

Syntax

T | sort by expression [asc | desc] [nulls first | nulls last] [, ...]

Arguments

T: The table input to sort.
expression: A scalar expression by which to sort. The type of the values must be numeric, date, time or string.
asc Sort by into ascending order, low to high. The default is desc, descending high to low.
nulls first (the default for asc order) will place the null values at the beginning and nulls last (the default for desc order) will place the null values at the end.

Example

In this example, we are searching for all records in events that have a name which is not 'Swizzor Botnet Traffic', sorted by the name. If name column contains null values, those will appear at the first lines of the result.

events
    | project name, original_time
    | where original_time > ago(5m)
    | where name != 'Swizzor Botnet Traffic'
    | distinct name
    | sort by name asc nulls first
    | limit 5

Results

`name`
`NULL`
`(Primary) Failover cable OK`
`(Primary) Failover cable Not OK`
`(Primary) Failover message block alloc failed`
`30419 Internet Explorer 8 XSS Attack`
`A fatal alert was generated and sent to the remote endpoint`

In order to exclude null values from the result add a filter before the call to sort:

events
    | project name, original_time
    | where original_time > ago(5m)
    | where name != 'Swizzor Botnet Traffic' and isnotnull(name)
    | distinct name
    | sort by name asc
    | limit 5

Results

`name`
`(Primary) Failover cable OK`
`(Primary) Failover cable Not OK`
`(Primary) Failover message block alloc failed`
`30419 Internet Explorer 8 XSS Attack`
`A fatal alert was generated and sent to the remote endpoint`