The order operator in Axiom Processing Language (APL) allows you to sort the rows of a result set by one or more specified fields. You can use this operator to organize data for easier interpretation, prioritize specific values, or prepare data for subsequent analysis steps. The order operator is particularly useful when working with logs, telemetry data, or any dataset where ranking or sorting by values (such as time, status, or user ID) is necessary.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, the equivalent operator to order is sort. SPL uses a similar syntax to APL but with some differences. In SPL, sort allows both ascending (asc) and descending (desc) sorting, while in APL, you achieve sorting using the asc() and desc() functions for fields.
['sample-http-logs']
| order by _time descIn ANSI SQL, the equivalent of order is ORDER BY. SQL uses ASC for ascending and DESC for descending order. In APL, sorting works similarly, with the asc() and desc() functions added around field names to specify the order.
['sample-http-logs']
| order by _time descUsage
Syntax
| order by FieldName [asc | desc], FieldName [asc | desc]Parameters
FieldName: The name of the field by which to sort.asc: Sorts the field in ascending order.desc: Sorts the field in descending order.
Returns
The order operator returns the input dataset, sorted according to the specified fields and order (ascending or descending). If multiple fields are specified, sorting is done based on the first field, then by the second if values in the first field are equal, and so on.
Use case examples
In this example, you sort HTTP logs by request duration in descending order to prioritize the longest requests.
Query
['sample-http-logs']
| order by req_duration_ms descOutput
| _time | req_duration_ms | id | status | uri | method | geo.city | geo.country |
|---|---|---|---|---|---|---|---|
| 2024-10-17 10:10:01 | 1500 | user12 | 200 | /api/v1/get-orders | GET | Seattle | US |
| 2024-10-17 10:09:47 | 1350 | user23 | 404 | /api/v1/get-products | GET | New York | US |
| 2024-10-17 10:08:21 | 1200 | user45 | 500 | /api/v1/post-order | POST | London | UK |
This query sorts the logs by request duration, helping you identify which requests are taking the most time to complete.
In this example, you sort OpenTelemetry trace data by span duration in descending order, which helps you identify the longest-running spans across your services.
Query
['otel-demo-traces']
| order by duration descOutput
| _time | duration | span_id | trace_id | service.name | kind | status_code |
|---|---|---|---|---|---|---|
| 2024-10-17 10:10:01 | 15.3s | span4567 | trace123 | frontend | server | 200 |
| 2024-10-17 10:09:47 | 12.4s | span8910 | trace789 | checkoutservice | client | 200 |
| 2024-10-17 10:08:21 | 10.7s | span1112 | trace456 | productcatalogservice | server | 500 |
This query helps you detect performance bottlenecks by sorting spans based on their duration.
In this example, you analyze security logs by sorting them by time to view the most recent logs.
Query
['sample-http-logs']
| order by _time descOutput
| _time | req_duration_ms | id | status | uri | method | geo.city | geo.country |
|---|---|---|---|---|---|---|---|
| 2024-10-17 10:10:01 | 300 | user34 | 200 | /api/v1/login | POST | Berlin | DE |
| 2024-10-17 10:09:47 | 150 | user78 | 401 | /api/v1/get-profile | GET | Paris | FR |
| 2024-10-17 10:08:21 | 200 | user56 | 500 | /api/v1/update-profile | PUT | Madrid | ES |
This query sorts the security logs by time to display the most recent log entries first, helping you quickly review recent security events.
List of related operators
- top: The
topoperator returns the top N records based on a specific sorting criteria, which is similar toorderbut only retrieves a fixed number of results. - summarize: The
summarizeoperator groups data and often works in combination withorderto rank summarized values. - extend: The
extendoperator can be used to create calculated fields, which can then be used as sorting criteria in theorderoperator.