I have a query as source="C:\Data\acctdata\snm4-logger.log" "Customer has successfully retrieved file"| rex "::\s(?
so that result would be
userid RecordCount ByteCount timestamp
AAMG1FBY 3105 1586745 05/03/13
AAMG1SBY 3129 1597053 04/03/13
Uh well, sort? http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Sort
source="C:\\Data\\acctdata\\snm4-logger.log" "Customer has successfully retrieved file"| rex "::\s(?<timestamp>\S+)\s"| rex "^\S+\s(?<userid>\S+)\." | rex "\s(?<file_name>\S+)\s\((?<record_count>\d+)\srecords/(?<byte_count>\d+)\sbytes\)$"| stats count sum(record_count) as RecordCount sum(byte_count) as ByteCount by timestamp userid | sort - timestamp
You should be able to do:
| sort -timestamp