Splunk Search

timechart command with subsearch yields no results after update to 8.2.4

New Member

Hi all, I have been using a subsearch in a timechart command to dynamically select the correct span. The query looks like this:

| timechart [| makeresults | eval interval = "*" | `get_timespan(interval)` | eval span = "span=".timespan_from_macro | return $span] count by MYFIELD

The idea behind this is as follows. We have a dashboard where we have a selector to choose between a week, month, quarter, and year to show data. Depending on this, the span of the timechart should be adjusted. 

Therefore, interval is the token inserted from the dashboard and get_timespan is a search macro that yields 1w@w1,  1mon@mon,  quarter, 1y@y to timespan_from_macro. In turn, this should specify the span to use in the timechart command. 

This has been working fine for the last couple of weeks, and this approach has been suggested in this forum a few times. However, due to the log4j vulnerability our admins were forced to update to 8.2.4 and now the query yields no results even though there should be. Before, we were on version 8.2.2 (not 100% certain but pretty confident).

Has there something changed that I need to adjust the query or are there even better solutions for this? Or could it really be related to the update?

PS: The search does not throw an error, but yields no results. If i open the inspect job window and just copy&paste the generated query it yields the correct results (since the subsearch has been executed and been replaced with the correct span=... value).

Labels (2)
0 Karma