array_sort_desc()

Applies to: ✅ Azure Data ExplorerAzure MonitorMicrosoft Sentinel

Receives one or more arrays. Sorts the first array in descending order. Orders the remaining arrays to match the reordered first array.

Syntax

array_sort_desc(array1[, ..., argumentN])

array_sort_desc(array1[, ..., argumentN],nulls_last)

If nulls_last isn't provided, a default value of true is used.

Learn more about syntax conventions.

Parameters

Name Type Required Description
array1...arrayN dynamic ✔️ The array or list of arrays to sort.
nulls_last bool Determines whether nulls should be last.

Returns

Returns the same number of arrays as in the input, with the first array sorted in ascending order, and the remaining arrays ordered to match the reordered first array.

null is returned for every array that differs in length from the first one.

If an array contains elements of different types, it's sorted in the following order:

  • Numeric, datetime, and timespan elements
  • String elements
  • Guid elements
  • All other elements

Example 1 - Sorting two arrays

let array1 = dynamic([1,3,4,5,2]);
let array2 = dynamic(["a","b","c","d","e"]);
print array_sort_desc(array1,array2)

Output

array1_sorted array2_sorted
[5,4,3,2,1] ["d","c","b","e","a"]

Note

The output column names are generated automatically, based on the arguments to the function. To assign different names to the output columns, use the following syntax: ... | extend (out1, out2) = array_sort_desc(array1,array2)

Example 2 - Sorting substrings

let Names = "John, Paul, George, Ringo";
let SortedNames = strcat_array(array_sort_desc(split(Names, ",")), ",");
print result = SortedNames

Output

result
Ringo, Paul, John, George

Example 3 - Combining summarize and array_sort_desc

datatable(command:string, command_time:datetime, user_id:string)
[
    'chmod',   datetime(2019-07-15),   "user1",
    'ls',      datetime(2019-07-02),   "user1",
    'dir',     datetime(2019-07-22),   "user1",
    'mkdir',   datetime(2019-07-14),   "user1",
    'rm',      datetime(2019-07-27),   "user1",
    'pwd',     datetime(2019-07-25),   "user1",
    'rm',      datetime(2019-07-23),   "user2",
    'pwd',     datetime(2019-07-25),   "user2",
]
| summarize timestamps = make_list(command_time), commands = make_list(command) by user_id
| project user_id, commands_in_chronological_order = array_sort_desc(timestamps, commands)[1]

Output

user_id commands_in_chronological_order
user1 [
"rm",
"pwd",
"dir",
"chmod",
"mkdir",
"ls"
]
user2 [
"pwd",
"rm"
]

Note

If your data may contain null values, use make_list_with_nulls instead of make_list.

Example 4 - Controlling location of null values

By default, null values are put last in the sorted array. However, you can control it explicitly by adding a bool value as the last argument to array_sort_desc().

Example with default behavior:

print array_sort_desc(dynamic([null,"blue","yellow","green",null]))

Output

print_0
["yellow","green","blue",null,null]

Example with nondefault behavior:

print array_sort_desc(dynamic([null,"blue","yellow","green",null]), false)

Output

print_0
[null,null,"yellow","green","blue"]

To sort the first array in ascending order, use array_sort_asc().