This is what I ended up doing. Thank you for all the help!

If its acceptable to you, you can go with format like this "%Y - %m (%b)". This will get sorted properly and it does shows the string format month as well.

2014 - 04(Apr)
2014 - 08(Aug)
2014 - 12(Dec)
2014 - 07(Jul)

You can't. Splunk sorts the legend based on the value of newPartName.
If it is in the format %Y-%b, then the months are going to sort alphabetically.

It's true that changing the month to a digit will fix the issue. Thank you for the suggestion but my question is how do I sort the legend with the format %Y-%b.

Yes, Splunk automatically sorts by the "by" clause of the timechart command. Since newPartName is a string, I would expect it to sort exactly as it did.

That's why I set the format to "%Y-%m" instead of "%Y-%b" - because then it would sort by month number instead of month name.

This is my search now


index=batch
| eval hours = (duration/(1000*60*60))
| rex field=partName "regular(?.*)"
| eval newPartTime = strftime(strptime(tmpDate + "01","%b%y%d"),"%Y-%b")
| timechart span=1d limit=15 sum(duration) by newPartTime


The legend is sorted alphabetically:


2014 - Apr
2014 - Aug
2014 - Dec
2014 - Jul
2014 - Jun
2014 - May
2014 - Nov
2014 - Oct
2014 - Sep
2015 - Apr
2015 - Fed
[...]


This does show legend for my sample view (appears in ascending order of time and values comes as this.
2014-10
2014-11
2014-12
2015-01
2015-02
2015-03
2015-04
2015-05

This "works" but doesn't sort the values in the legend of my timechart, which is what I was asking

strptime(tmpDate,"%b%y") will return NULL as it requires a day part as well. It should be changed with strptime("01-".tmpDate,"%d-%b%y"), keeping remaining things same.