Splunk Search

timechart command with subsearch yields no results after update to 8.2.4

just_me
New Member

Hi all, I have been using a subsearch in a timechart command to dynamically select the correct span. The query looks like this:

| timechart [| makeresults | eval interval = "*" | `get_timespan(interval)` | eval span = "span=".timespan_from_macro | return $span] count by MYFIELD

The idea behind this is as follows. We have a dashboard where we have a selector to choose between a week, month, quarter, and year to show data. Depending on this, the span of the timechart should be adjusted. 

Therefore, interval is the token inserted from the dashboard and get_timespan is a search macro that yields 1w@w1,  1mon@mon,  quarter, 1y@y to timespan_from_macro. In turn, this should specify the span to use in the timechart command. 

This has been working fine for the last couple of weeks, and this approach has been suggested in this forum a few times. However, due to the log4j vulnerability our admins were forced to update to 8.2.4 and now the query yields no results even though there should be. Before, we were on version 8.2.2 (not 100% certain but pretty confident).

Has there something changed that I need to adjust the query or are there even better solutions for this? Or could it really be related to the update?

PS: The search does not throw an error, but yields no results. If i open the inspect job window and just copy&paste the generated query it yields the correct results (since the subsearch has been executed and been replaced with the correct span=... value).

Labels (2)
0 Karma
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.

Can’t make it to .conf25? Join us online!

Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...