sort

Use sort to display log events in ascending (asc) or descending (desc) order by a specified field. You can use this with the limit command to create "top N" or "bottom N" queries.

If you sort in ascending order, the following logic is used.

All non-number values come before all number values. Number values are values that include only numbers, not a mix of numbers and other characters.
For non-number values that start with numbers, the number portion is compared first. Values that start with the same number of digits are sorted in ascending order. Values that start with more digits than other strings are sorted after the values that start with fewer digits. If the number portion of two values is the same, they are sorted based on the Unicode order of the rest of the value.
Non-numeric values are sorted by Unicode order, except when the leading characters are the same and the next characters are numeric. In this case they are sorted similar to the preceding logic: values with the same number of digits after the initial leading characters are sorted in ascending order. Then values that have more digits after the leading characters are sorted after the values that have fewer digits. If the number portion of two values is the same, they are then sorted based on the Unicode order of the rest of the value.

For more information about Unicode order, see List of Unicode characters.

For example, the following is the result of a sort in ascending order.


!:	>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> sorted by unicode order
#
*%04
0#	>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Alphanumeric starting with numbers
5A
111A   >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>  Starts with more digits than 5A, so it sorted to be later than 5A
2345_
@	>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2345 is compared with @ in the unicode order, 
@_
A	>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Values starting with letters
A9876fghj
a12345hfh
0	>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Number values
01
1
2
3

If you sort in descending order, the sort results are the reverse.

For example, the following query for Amazon VPC flow logs finds the top 15 packet transfers across hosts.


stats sum(packets) as packetsTransferred by srcAddr, dstAddr
    | sort packetsTransferred  desc
    | limit 15

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

parse

stats