| makeresults | eval value=1 | stats count as "count: 1", count by value
If you try to use chart overlay with "count: 1" using the above query, nothing happens. It doesn't apply the overlay. If you try with "count", it works as expected. Both have worked in the past. Is this fixed in a future version? I didn't see it on the known issues page. Thanks.
Gah, thank you for posting this, I was second guessing myself. I'm running into the same issue, not realizing it was the colons.
This is not browser-specific: I can repo in Safari and Firefox as well.
If I may tweak your repo into something that Splunk causes:
| makeresults | eval value=1 | timechart fixedrange=false max(value) as max, count by value
Chart overlay will not work with the timechart result because Splunk creates the fields "count: 1" and "max: 1".
Workaround: rename all the fields without the colon:
| rename "count: 1" as count_1, "max: 1" as max_1
Now you can put either field into the overlay. This doesn't scale with lots of data though.
My Splunk:
It is actually the spaces, not the colons. It works on newer versions of splunk if you can update.
The only other workaround I'm aware of is using the Trellis view.
Ah, thanks for the update. I'm glad its been addressed. I read thru all the subsequent Release Notes 8.2.4-9.0 and didn't spot it.
I'll get a support ticket submited to track down which version specifically fixes it.
Thank you!