Ordering commands

limit

Limits the number of returned records.

You can increase or decrease the limit depending on your needs. Changing the limit has an impact on your DDU consumption and query execution time.

Syntax

limit numberOfQueryRecords

Basic example

Example: Query three records

The following query uses the limit command to limit the result to three records.

data record(a = 2),
     record(a = 3),
     record(a = 7),
     record(a = 7),
     record(a = 1)
| limit 3

Query result:

Practical example

Example: Query up to five logs

The following query uses the fetch command to load data from logs. Up to one thousand log records are returned by default, but the limit command limits the result to five records.

fetch logs
| limit 5

sort

Sorts the records. When using the sort command, the default sorting order is ascending. You can control the order in which your records are displayed by adding asc for ascending and desc for descending. Sorting is case-sensitive, which means that inputs beginning with capital letters (for example, K) are listed before those beginning with lowercase (for example, d).

Syntax

sort fieldname [asc | desc][, ...]

Basic examples

Example 1: Sort result by one field

The following query uses the sort command to sort the result by field a.

data record(a = 2),
     record(a = 3),
     record(a = 7),
     record(a = 7),
     record(a = 1)
| sort a

Query result:

Example 2: Sort result by multiple fields

The following query uses the sort command to sort the result by field a descending and field b ascending.

data record(a = 2),
     record(a = 3),
     record(a = 7, b = 2),
     record(a = 7, b = 1),
     record(a = 1)
| sort a desc, b asc

Query result:

Practical example

Example: Sort business events by two fields

The following query uses the fetch command to query business events. The sort command sorts the records by timestamp descending. If there are records with the same timestamp, they are sorted by event.type ascending.

fetch bizevents
| sort timestamp desc, event.type asc

Sorting heterogeneous data

Sorting by fields with heterogeneous data sorts the records primarily based on the data type of the field in each record in the following ascending order: boolean, long and double, binary, string, timestamp, duration, timeframe, uid, ip, array, record. Long and double are considered equivalent in the sorting by data type. This also means that for equal numeric (long or double) values the order of the records in the input is preserved in the output of the sort command.

Example: Sort results by one field containing heterogeneous data

The following query sorts the records by field a, where the field can be of different data types.

data record(a = "6"),
     record(a = 7.0),
     record(a = 7),
     record(a = 0),
     record(a = 0.0),
     record(a = ip("1.1.1.1")),
     record(a = record(b = 1)),
     record(a = array(0, 1, 2)),
     record(a = now()),
     record(a = array()),
     record(),
     record(a = toUid(1)),
     record(a = timeframe(now() - 5m, to: now())),
     record(a = duration(5, "d")),
     record(a = decodeBase64ToBinary(encodeBase64("A"))),
     record(a = true)
| sort a asc
| fieldsAdd type(a)

Query result: