From 08d6f288c126f5b74a32530312be79c988eb9228 Mon Sep 17 00:00:00 2001
From: Dan Hermann <danhermann@users.noreply.github.com>
Date: Mon, 14 Sep 2020 12:36:21 -0500
Subject: [PATCH] [DOCS] Sort option for the grok patterns endpoint (#62092)

---
 .../reference/ingest/processors/grok.asciidoc | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/docs/reference/ingest/processors/grok.asciidoc b/docs/reference/ingest/processors/grok.asciidoc
index 70abdebfa6e65..1c7e6d1b0aaed 100644
--- a/docs/reference/ingest/processors/grok.asciidoc
+++ b/docs/reference/ingest/processors/grok.asciidoc
@@ -308,6 +308,33 @@ The above request will return a response body containing a key-value representat
 --------------------------------------------------
 // NOTCONSOLE
 
+By default, the API returns patterns in the order they are read from disk. This
+sort order preserves groupings of related patterns. For example, all patterns
+related to parsing Linux syslog lines stay grouped together.
+
+You can use the optional boolean `s` query parameter to sort returned patterns
+by key name instead.
+
+[source,console]
+--------------------------------------------------
+GET _ingest/processor/grok?s
+--------------------------------------------------
+
+The API returns the following response.
+
+[source,js]
+--------------------------------------------------
+{
+  "patterns" : {
+    "BACULA_CAPACITY" : "%{INT}{1,3}(,%{INT}{3})*",
+    "BACULA_DEVICE" : "%{USER}",
+    "BACULA_DEVICEPATH" : "%{UNIXPATH}",
+    ...
+}
+--------------------------------------------------
+// NOTCONSOLE
+
+
 This can be useful to reference as the built-in patterns change across versions.
 
 [[grok-watchdog]]