Skip to main content
The project-reorder operator in APL allows you to rearrange the fields of a dataset without modifying the underlying data. This operator is useful when you need to control the display order of fields in query results, making your data easier to read and analyze. It can be especially helpful when working with large datasets where field ordering impacts the clarity of the output. Use project-reorder when you want to emphasize specific fields by adjusting their order in the result set without changing their values or structure.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, you use the table command to reorder fields, which works similarly to how project-reorder functions in APL.
| table FieldA, FieldB, FieldC
In ANSI SQL, the order of fields in a SELECT statement determines their arrangement in the output. In APL, project-reorder provides more explicit control over the field order without requiring a full SELECT clause.
SELECT FieldA, FieldB, FieldC FROM dataset;

Usage

Syntax

| project-reorder Field1 [asc | desc | granny-asc | granny-desc], Field2 [asc | desc | granny-asc | granny-desc], ...

Parameters

  • Field1, Field2, ...: The names of the fields in the order you want them to appear in the result set.
  • [asc | desc | granny-asc | granny-desc]: Optional: Specifies the sort order for the reordered fields. asc or desc order fields by field name in ascending or descending manner. granny-asc or granny-desc order by ascending or descending while secondarily sorting by the next numeric value. For example, b50 comes before b9 when you use granny-asc.

Returns

A table with the specified fields reordered as requested followed by any unspecified fields in their original order. project-reorder doesn‘t rename or remove fields from the dataset. All fields that existed in the dataset appear in the results table.

Use case examples

  • Log analysis
  • OpenTelemetry traces
  • Security logs
In this example, you reorder HTTP log fields to prioritize the most relevant ones for log analysis.Query
['sample-http-logs']
| project-reorder _time, method, status, uri, req_duration_ms, ['geo.city'], ['geo.country']
Run in PlaygroundOutput
_timemethodstatusurireq_duration_msgeo.citygeo.country
2024-10-17 12:34:56GET200/home120New YorkUSA
2024-10-17 12:35:01POST404/api/v1/resource250BerlinGermany
This query rearranges the fields for clarity, placing the most crucial fields (_time, method, status) at the front for easier analysis.

Wildcard

Wildcard refers to a special character or a set of characters that can be used to substitute for any other character in a search pattern. Use wildcards to create more flexible queries and perform more powerful searches. The syntax for wildcard can either be data* or ['data.fo']*. Here’s how you can use wildcards in project-reorder: Reorder all fields in ascending order: 
['sample-http-logs'] 
| project-reorder * asc
Run in Playground Reorder specific fields to the beginning: 
['sample-http-logs'] 
| project-reorder method, status, uri
Run in Playground Reorder fields using wildcards and sort in descending order: 
['github-push-event'] 
| project-reorder repo*, num_commits, push_id, ref, size, ['id'], size_large desc
Run in Playground Reorder specific fields and keep others in original order: 
['otel-demo-traces']
| project-reorder trace_id, *, span_id // orders the trace_id then everything else, then span_id fields
Run in Playground
  • project: Use the project operator to select and rename fields without changing their order.
  • extend: extend adds new calculated fields while keeping the original ones in place.
  • summarize: Use summarize to perform aggregations on fields, which can then be reordered using project-reorder.
  • sort: Sorts rows based on field values, and the results can then be reordered with project-reorder.