I am writing a simple XML dashboard (so I can do scheduled PDF reporting) in Splunk 5.0.5.

I want to do a side-by-side graph of a saved search:

  <row>
    <chart>
      <title>Internet Inbound Destination IP (Yesterday)</title>
      <searchName>H-Top-Internet-dst-ip-permitted</searchName>
      <earliestTime>-1d</earliestTime>
      <latestTime>@d</latestTime>
      <option name="charting.chart">bar</option>
    </chart>
    <chart>
      <title>Internet Inbound Destination IP (Last 60 Minutes)</title>
      <searchName>H-Top-Internet-dst-ip-permitted</searchName>
      <earliestTime>-60m</earliestTime>
      <latestTime>@m</latestTime>
      <option name="charting.chart">bar</option>
    </chart>
  </row><!-- 2. -->

But the result is a row with two of the same graphs for "Yesterday".

My saved search is currently like this:

[H-Top-Internet-dst-ip-permitted]
#dispatch.earliest_time = -2d@d
#dispatch.latest_time = @d
search = index=techsecu_summary source="Top-Internet-dst-ip-permitted" | top asa_dstip
action.email.inline = 1
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
auto_summarize = 1
auto_summarize.dispatch.earliest_time = -7d@d

All the lines below "search =" are added for accelerating the search. I previously had the two "dispatch." lines in there but they have been commented out for some time.

A colleague did point this post out to me. But that may very well have been Splunk 4 or earlier. I checked the simple XML references for 5.0.5. It does show the and options for panels.

So, have I hit a bug? Or is this a misunderstanding of the document on my part?