Skip to main content
The order operator in Axiom Processing Language (APL) allows you to sort the rows of a result set by one or more specified fields. You can use this operator to organize data for easier interpretation, prioritize specific values, or prepare data for subsequent analysis steps. The order operator is particularly useful when working with logs, telemetry data, or any dataset where ranking or sorting by values (such as time, status, or user ID) is necessary.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, the equivalent operator to order is sort. SPL uses a similar syntax to APL but with some differences. In SPL, sort allows both ascending (asc) and descending (desc) sorting, while in APL, you achieve sorting using the asc() and desc() functions for fields.
| sort - _time
In ANSI SQL, the equivalent of order is ORDER BY. SQL uses ASC for ascending and DESC for descending order. In APL, sorting works similarly, with the asc() and desc() functions added around field names to specify the order.
SELECT * FROM logs ORDER BY _time DESC;

Usage

Syntax

| order by FieldName [asc | desc], FieldName [asc | desc]

Parameters

  • FieldName: The name of the field by which to sort.
  • asc: Sorts the field in ascending order.
  • desc: Sorts the field in descending order.

Returns

The order operator returns the input dataset, sorted according to the specified fields and order (ascending or descending). If multiple fields are specified, sorting is done based on the first field, then by the second if values in the first field are equal, and so on.

Use case examples

  • Log analysis
  • OpenTelemetry traces
  • Security logs
In this example, you sort HTTP logs by request duration in descending order to prioritize the longest requests.Query
['sample-http-logs']
| order by req_duration_ms desc
Run in PlaygroundOutput
_timereq_duration_msidstatusurimethodgeo.citygeo.country
2024-10-17 10:10:011500user12200/api/v1/get-ordersGETSeattleUS
2024-10-17 10:09:471350user23404/api/v1/get-productsGETNew YorkUS
2024-10-17 10:08:211200user45500/api/v1/post-orderPOSTLondonUK
This query sorts the logs by request duration, helping you identify which requests are taking the most time to complete.
  • top: The top operator returns the top N records based on a specific sorting criteria, which is similar to order but only retrieves a fixed number of results.
  • summarize: The summarize operator groups data and often works in combination with order to rank summarized values.
  • extend: The extend operator can be used to create calculated fields, which can then be used as sorting criteria in the order operator.