Splunk Cloud Platform

Why is chain search not inheriting value from time range token?

nttran
Engager
Hello,
I am using dashboard studio on Splunk Cloud - 8.2.2203.2 where I have a base search and 2 chained searches that reference the base search. The base search is using the Global Time Range (global_time) as a time range input when searching. The chain searches should also inherent the same value that the base search is getting from global_time as shown below.
 
"Time Range
Currently using Global Time Range input
$global_time.earliest$ - $global_time.latest$"
 
However, when I am changing the time input, the panel that is using one of the chain search does not load automatically and would only work if I refresh the entire page. In addition, when I click on the magnifying glass (Open in search) for the panel, it takes me to a search page but does not return any results because of the error "Invalid earliest_time". I then manually select "Last 24 hours" for the time range in the search query drop down button and that resolve the error and returned results. This tells me that the search query itself is good but there may have been issue with the time range value not being passed from the base search to the chain search. If my panel is referencing a base search directly, the time range value works perfectly, the dashboard re-search when I change the time, and have no error when I click "Open in Search".
 
I also noted that in the URL after I click "Open in Search" for the panel that is using a chain search, it had this in the URL: "earliest=%24global_time.earliest%24&latest=%24global_time.latest%24". This tells me that the value that global_time was holding did not get pass onto the chain search. I confirmed this by manually selecting the "Last 24 hours" for the time range in the search query drop down button and noted this in the URL: "earliest=-24h%40h&latest=now", something along this line should have been in the URL when I click "Open in Search" instead of variable name. 
 
Can someone please help to see if this is a bug or is there something special that needs to be configured for a chain search to inherent value from a time range token?
 
Thank you
Tags (2)

weidertc
Communicator

I can confirm this is still on issue.

Version:9.0.2303.202

Build:06d6be78fc0e

Setting the Base Search to use the global time selector's token and verifying the chain searches are using the same token is not sufficient in getting the time selector to update the panels.  they just stay frozen when changing the time selector.  Dashboards cannot be optimized properly if we cannot use base searches.

i cannot take over the world with this bug in place.

0 Karma

kristenqw
Engager

Experiencing the same issue on Splunk Enterprise 9.0.0 with the "Open in Search" for panels using chain searches.

Changing the time input seems to work fine for panels using chain searches, though.

0 Karma

DATEVeG
Path Finder

We also stumbled across this bug in Splunk Enterprise 9.0.2.

Has anyone found a solution yet or opened a case for this?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...