Other than latest event first, based on _time, order is not guaranteed in splunk unless you use commands that set it. Sort, or any of the various "by" options, will establish a required order. Two records that have identical keys as per the sort order, are not guaranteed to be in any particular order.
This is because the search is distributed out to the indexes, which each return the data to the search head whenever they are finished collecting the data they own. The search head then processes what it gets, when it gets it.
The same search, run later on the same search head, is not even guaranteed the same order, as I understand it, because some indexers may be faster or slower one time than they were on a prior time, and when collating the data back together, splunk has no reason to re-sort the data unless you told it to.
... View more