I've got a specific search, that generates two time ranges on a timechart, using the instructions found on this Splunk blog entry: Compare two time ranges in one report
This search worked perfectly... until yesterday, when we upgraded our search heads to Splunk 5.0.2.
I've confirmed this, by running the exact search on another search head that is still running Splunk 4.3.3. The search works on Splunk 4, does not work on Splunk 5.
Here is the (edited for privacy) search:
index="summary" search_name="Event Count Summary" earliest=-28d@d latest=@d
| eval Month="This Month"
| append [search index="summary" search_name="Event Count Summary" earliest=-56d@d latest=-28d@d
| eval Month="Last Month"
| eval new_time=_time+2419200]
| eval _time=if(isnotnull(new_time), new_time, _time)
On the 5.0.2 search head, I only get results for "Last Month" and only "Last Month" gets graphed. On the 4.3.3 search head, everything gets graphed perfectly.
I suspected possible timeouts in the subsearches, but the limits.conf between the two search heads are almost identical.
How can a Splunk upgrade break a search? Where do I need to look?
Edit: (2013/04/15) The comment below is correct, this definitely has to do with the 'append' command. Still no answer on this though, but in the meantime, I have taken it up with Splunk Enterprise support. Haven't heard from them in over a month now...