EDIT: It appears subsearch is what's broken, not appendcols. The follow fails on 5.0.2 search heads, but not 4.3.4 search heads. (Same 4.3.4 indexers on the back end.)

index=app_main earliest=-1h@h-5m latest=-1h@h [search index=app_main earliest=-1d@h-65m latest=-1d@h-1h | stats count by host | fields host ]

EDIT2: Using a 5.0.1 search head with a 5.0.1 back end works. Upgrading the SH to 5.0.2 for the search head broke subsearches.

original post below:

I'm testing my apps on a 5.0.2 search head before upgrading from 4.3.4. The indexers (4) are 4.3.4. All 64-bit Linux versions. I use appendcols for week-over-week and day-over-day comparisons in a lot of my dashboards.

With 5.0.2, appendcols is failing in odd ways. Some queries yield no results at all. Others yield duplicated results. The individual searches by themselves work perfectly fine. The "compound" searches work fine on a 4.3.4 search head.

Examples:

This one showed 0 results in the timeline chart across the top of the page, but the table showed correct results for LastWeek and wrong (0) for Today. The search works fine from a 4.3.4 search head. Each individual search returns correct results on 5.0.2.

index=app_main earliest=-31m@m latest=-1m@m LGN | timechart span=1m dc(CustID) as Today | appendcols [search index=app_sum earliest=-1w@m-31m latest=-1w@m-1m uCIDs | timechart span=1m sum(uCIDs) as LastWeek | fields LastWeek ]

This one shows reults in both columns, and in the flash timeline, but the Yesterday column is just a dup of the Today column, which isn't right. Again, a 4.3.4 search head yields correct numbers.

index=app_main error earliest=-15m | timechart count as Today | appendcols [search index=app_main error earliest=-1d-15m latest=-1d | timechart count as Yesterday | fields Yesterday ]

Anyone else? I've tried looking through the _internal index for interesting events, but I don't see anything related. Tips? Ticket time?