Splunk 简明教程

Splunk - Sort Command

sort 命令按指定字段对所有结果进行排序。缺少的字段被视为具有该字段的最小值或最大值，具体取决于顺序是降序还是升序。如果 sort 命令的第一个参数是数字，则按顺序返回最多该数量的结果。如果没有指定数字，则使用 10000 的默认限制。如果指定数字 0，则返回所有结果。

The sort command sorts all the results by specified fields. The missing fields are treated as having the smallest or largest possible value of that field if the order is descending or ascending, respectively. If the first argument to the sort command is a number, then at most that many results are returned, in order. If no number is specified, the default limit of 10000 is used. If the number 0 is specified, all of the results are returned.

Sorting By Field Types

我们可以为正在搜索的字段分配特定的数据类型。Splunk 数据集中的现有数据类型可能与我们在搜索查询中强制执行的数据类型不同。在下面的示例中，我们将 status 字段按升序排列为数字。此外，名为 url 的字段被搜索为字符串，减号表示降序排列。

We can assign specific data type for the fields being searched. The existing data type in the Splunk dataset may be different than the data type we enforce in the search query. In the below example, we sort the status field as numeric in ascending order. Also, the field named url is searched as a string and the negative sign indicates descending order of sorting.

Sorting up to a Limit

我们还可以指定要排序的结果数量，而不是整个搜索结果。以下搜索结果显示了仅按 status 升序和 url 降序排列的 50 个事件。

We can also specify the number of results that will be sorted instead of the entire search result. The below search result shows the sorting of only 50 events with status as ascending and url as descending.

Using Reverse

我们可以使用 reverse 子句切换整个搜索查询的结果。在需要时，在不改变和逆转排序结果的情况下使用现有查询非常有用。

We can toggle the result of an entire search query by using the reverse clause. It is useful to use the existing query without altering and reversing the sort result as and when needed.