Let me simplify your problem statement by eliminating JSON path from the equation. The requirements are simply these: In a dashboard, there is a dropdown input token, say SomeToken. SomeToken has...
See more...
Let me simplify your problem statement by eliminating JSON path from the equation. The requirements are simply these: In a dashboard, there is a dropdown input token, say SomeToken. SomeToken has a fixed, predefined entry with label "All". The rest of choices for SomeToken are populated by a search. I will call this search <tokenSearch>. Events in dashboard panel may or may not contain a field of interest named SomeField. If the user selects "All" (predefined, fixed value), all events should be returned regardless of SomeField. If the user selects any other value populated by <tokenSearch>, only events with SomeField = SomeToken should be returned. (In your case, SomeField is resourceSpans{}.scopeSpans{}.spans{}.attributes{}.value.stringValue, and you call SomeToken Token_Mr_jobId.) @livehybrid already gives the solution: Do not return only SomeFieldValue in <tokenSearch> and use the value to populate both input label and input value. Use a different strategy in <tokenSearch>, i.e., return SomeFieldValue as input label, and "SomeField=SomeFieldValue" as input value. <fieldForLabel>SomeFieldValue</fieldForLabel>
<fieldForValue>SomeField=SomeFieldValue</fieldForValue> Then, in your panel search, do not use "SomeField = $SomeToken$". Instead, simply insert $SomeToken$ as a search term. One more suggestion: Do not use a pipe between your index search and the tokenized filter if SomeField is already extracted at search time. This unnecessarily burdens Splunk. In the following demo dashboard, SomeField is substituted with thread_name from index _internal; thread_name_tok is SomeToken. The key here is <tokenSearch>: index=_internal component=*
| stats values(thread_name) as token_label
| mvexpand token_label
| eval token_value = "thread_name=" . token_label This search differs from yours in one critical step: the last eval sets token_value to a search term involving field name thread_name, not a simple value of this field. Then, token_label and token_value are used to populate input label and value, respectively. In this example, I set "All" label to a zero-length character as value, which is equivalent to * in search command but more economical. Full demo dashboard as follows. Play with it and fit it into your dataset. <form version="1.1" theme="light">
<label>Search for a path the might not exist</label>
<description>https://community.splunk.com/t5/Splunk-Search/Search-for-a-path-the-might-not-exist/m-p/746683#M241692</description>
<fieldset submitButton="false">
<input type="dropdown" token="thread_name_tok" searchWhenChanged="true">
<label>Select thread_name</label>
<choice value="">All events</choice>
<default></default>
<fieldForLabel>token_label</fieldForLabel>
<fieldForValue>token_value</fieldForValue>
<search>
<query>index=_internal component=*
| stats values(thread_name) as token_label
| mvexpand token_label
| eval token_value = "thread_name=" . token_label</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
</input>
</fieldset>
<row>
<panel>
<title>Token value of your selection: >$thread_name_tok$<</title>
<event>
<search>
<query>index=_internal component=* $thread_name_tok$</query>
<earliest>-15m</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
</event>
</panel>
</row>
</form> Hope this helps.