elastic · danhermann · Sep 29, 2020 · Sep 14, 2020
diff --git a/docs/reference/ingest/processors/grok.asciidoc b/docs/reference/ingest/processors/grok.asciidoc
@@ -308,6 +308,33 @@ The above request will return a response body containing a key-value representat
 --------------------------------------------------
 // NOTCONSOLE
 
+By default, the API returns patterns in the order they are read from disk. This
+sort order preserves groupings of related patterns. For example, all patterns
+related to parsing Linux syslog lines stay grouped together.
+
+You can use the optional boolean `s` query parameter to sort returned patterns
+by key name instead.
+
+[source,console]
+--------------------------------------------------
+GET _ingest/processor/grok?s
+--------------------------------------------------
+
+The API returns the following response.
+
+[source,js]
+--------------------------------------------------
+{
+  "patterns" : {
+    "BACULA_CAPACITY" : "%{INT}{1,3}(,%{INT}{3})*",
+    "BACULA_DEVICE" : "%{USER}",
+    "BACULA_DEVICEPATH" : "%{UNIXPATH}",
+    ...
+}
+--------------------------------------------------
+// NOTCONSOLE
+
+
 This can be useful to reference as the built-in patterns change across versions.
 
 [[grok-watchdog]]