sort - Amazon CloudWatch Logs
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

sort

Use sort to display log events in ascending (asc) or descending (desc) order by a specified field. You can use this with the limit command to create "top N" or "bottom N" queries.

The sorting algorithm is an updated version of natural sorting. If you sort in ascending order, the following logic is used.

  • All non-number values come before all number values. Number values are values that include only numbers, not a mix of numbers and other characters.

  • For non-number values, the algorithm groups consecutive numeric characters and consecutive alphabetic characters into separate chunks for comparison. It orders non-numeric portions by their Unicode values, and it orders numeric portions by their length first and then by their numerical value.

For more information about Unicode order, see List of Unicode characters.

For example, the following is the result of a sort in ascending order.

!:	>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> sorted by unicode order
#
*%04
0#	>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Alphanumeric starting with numbers
5A
111A   >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>  Starts with more digits than 5A, so it sorted to be later than 5A
2345_
@	>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2345 is compared with @ in the unicode order, 
@_
A	>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Values starting with letters
A9876fghj
a12345hfh
0	>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Number values
01
1
2
3

If you sort in descending order, the sort results are the reverse.

For example, the following query for Amazon VPC flow logs finds the top 15 packet transfers across hosts.

stats sum(packets) as packetsTransferred by srcAddr, dstAddr
    | sort packetsTransferred  desc
    | limit 15