Abstract
Learn more about the Cortex Query Language sort stage that identifies the sort order for records returned in the result set.
Syntax
sort asc|desc <field1>[, asc|desc <field2>...]
Description
The sort stage identifies the sort order for records returned in the result set. Records can be returned in ascending (asc) or descending (desc) order. If you include more than one field in the sort stage, records are sorted in field specification order.
Examples
Return the action_country and event_timestamp fields from all xdr_data records where the action_country field is not "-". Sort the result set first by the action_country field value in descending order, then by event_timestamp field in ascending order.
dataset = xdr_data | fields action_country as ac, event_timestamp as et | replacenull ac = "N/A" | filter ac != "-" | sort desc ac, asc et