在 GitHub中添加内容: 在线编辑 排序运算符
按一个或多个列对输入表的行进行排序。
events | sort by original_time desc
别名
order
语法
T | sort by 表达式 [asc | desc] [nulls first | nulls last] [, ...]
参数
- T: 要排序的表输入。
- expression: 用于排序的标量表达式。 值的类型必须是数字,日期,时间或字符串。
asc按升序排序,从低到高。 缺省值为desc,从高到低降序。nulls first(asc订单的缺省值) 将在开头放置空值,而nulls last(desc订单的缺省值) 将在末尾放置空值。
示例
在此示例中,我们将搜索 events 中具有非 'Swizzor Botnet Traffic'(按名称排序) 的 name 的所有记录。 如果 name 列包含空值,那么这些值将显示在结果的第一行。
events
| project name, original_time
| where original_time > ago(5m)
| where name != 'Swizzor Botnet Traffic'
| distinct name
| sort by name asc nulls first
| limit 5
结果
name |
|---|
NULL |
(Primary) Failover cable OK |
(Primary) Failover cable Not OK |
(Primary) Failover message block alloc failed |
30419 Internet Explorer 8 XSS Attack |
A fatal alert was generated and sent to the remote endpoint |
为了从结果中排除空值,请在调用排序之前添加过滤器:
events
| project name, original_time
| where original_time > ago(5m)
| where name != 'Swizzor Botnet Traffic' and isnotnull(name)
| distinct name
| sort by name asc
| limit 5
结果
name |
|---|
(Primary) Failover cable OK |
(Primary) Failover cable Not OK |
(Primary) Failover message block alloc failed |
30419 Internet Explorer 8 XSS Attack |
A fatal alert was generated and sent to the remote endpoint |