GitHub:

排序運算子

依一或多個直欄來排序輸入表格的列。

events | sort by original_time desc

別名

order

語法

T | sort by 表示式 [asc | desc] [nulls first | nulls last] [, ...]

引數

T: 要排序的表格輸入。
expression: 排序所依據的純量表示式。值的類型必須是數值、日期、時間或字串。
asc 依升冪排序，由低至高。預設值為 desc，從高到低遞減。
nulls first ( asc 訂單的預設值) 會在開頭放置空值，而 nulls last ( desc 訂單的預設值) 會在結尾放置空值。

範例

在此範例中，我們正在 events 中搜尋 name 不是 'Swizzor Botnet Traffic'(依名稱排序) 的所有記錄。如果 name 直欄包含空值，則這些值將出現在結果的第一行。

events
    | project name, original_time
    | where original_time > ago(5m)
    | where name != 'Swizzor Botnet Traffic'
    | distinct name
    | sort by name asc nulls first
    | limit 5

結果

`name`
`NULL`
`(Primary) Failover cable OK`
`(Primary) Failover cable Not OK`
`(Primary) Failover message block alloc failed`
`30419 Internet Explorer 8 XSS Attack`
`A fatal alert was generated and sent to the remote endpoint`

為了從結果中排除空值，請在呼叫排序之前新增過濾器:

events
    | project name, original_time
    | where original_time > ago(5m)
    | where name != 'Swizzor Botnet Traffic' and isnotnull(name)
    | distinct name
    | sort by name asc
    | limit 5

結果

`name`
`(Primary) Failover cable OK`
`(Primary) Failover cable Not OK`
`(Primary) Failover message block alloc failed`
`30419 Internet Explorer 8 XSS Attack`
`A fatal alert was generated and sent to the remote endpoint`