Fields can be "sorted" using the
your_search | fields col0 col1 col2 col3 col4 col5
http://docs.splunk.com/Documentation/Splunk/6.0/Knowledge/Createandmaintainsearch-timefieldextractio..., you may not have fields that begin with 0-9.
Field names cannot begin with 0-9 or _ . Leading underscores are reserved for Splunk Enterprise's internal variables.
Based on your comment, I can say that they are sorted by numeral already, just that it is based on the beginning number. To do what you want, do this:
your_search | eval tt = case(X<10,"00".X,X<100,"0".X,1=1,X) | timechart count by tt
Add additional case statements for each increase in the tens place, and make sure the padding is correct.
thanks for your answer. The headers are values of a field "X", which I create during my search. The command looks like this:
| timechart span=1d dc(user) by X
So it's not about sorting fields, but sorting the values of field X (which are the column headers in the shown chart).
This seems to work fine, thanks!
To get sure, that I understand what I'm doing here:
Could you explain why are we using a "dot" in the the Y argument? And what's the use last pair "(1=1,X)?
The "." is combining the string "0" with the value of X. The last pair makes sure that anything not matching in the case statement will assign the value of X to the field "tt", to make sure they are all there.