you are correct, some of the fields are automatically extracted as part of the Event heading, but none of the fields I am interested in are available, such as: tracePoint content.attributes[]  //not interested in the headers applicationName applicationVersion environmen By the way, I tried what you suggested: | spath input=data but I see no change in my search results. Thank you  

Question about your "second search". By that do you mean you want to do a drilldown when the  user clicks on one of the result rows to display the information surrounding that event? If  so, what kind of dashboard are you using (simple xml, or dashboard studio)?

Do you mean something like index=* | stats values(*) as * by sourcetype | foreach * [eval fields = mvappend(fields, if("<<FIELD>>" != "sourcetype", "<<FIELD>>", null()))] | stats values(fields) as fields by sourcetype

This would be done on a heavy forwarder or the indexer(s), whichever the events hit first. The below link has information for how to do this. You can do it with SEDCMD in a props.conf. The code below is an excerpt from that page that shows specifically how you would do this. In this case this <Data Name='IpPort'>0</Data> is being turned into this <Data Name='IpPort'></Data>. #For XmlWinEventLog:Security SEDCMD-cleanxmlsrcport = s/<Data Name='IpPort'>0<\/Data>/<Data Name='IpPort'><\/Data>/ https://docs.splunk.com/Documentation/WindowsAddOn/latest/User/Configuration

Have you tried "| table *"?  In other words, is that message the raw events?  Because if it is, Splunk would have already given you all the fields like correlationId, message, content.clientId, content.attributes.reasonPhrase, and so on. If the message is in a field named "data", you can use spath to extract it.     | spath input=data     Either way, your sample would give these fields and values fieldname fieldvalue applicationName cfl-service-integration-proxy applicationVersion 61808 category com.cfl.api.service-integration content.attributes.reasonPhrase OK content.attributes.statusCode 200 content.clientId 1234567 correlationId 3-f86043c0-6c3c-11ee-8502-123c53e78683 elapsed 435 environment dev message API Response priority INFO threadName [cfl-service-integration-proxy].proxy.BLOCKING @78f55ba timestamp 2023-9-16T15:59:22.083Z tracePoint END Hope this helps.  

Do you know about the Distributed Management Console? Monitoring Splunk Enterprise overview - Splunk Documentation   You could peek into the dashboards/queries in there for help on building the SPL.  Also, there might be some alerts you can turn on.   Run DMC for the win.  

You didn't show how $index_scope$ is used inside the macro.  Using hints from the sample values, that dropdown based on these values used to work as desired, and from semantic heuristics, as well as your choice of token name, I can only speculate that inside you macro `compliance(7)`, you use the first input in a search command, i.e., (I'll call the first input $input1$ - which correspond to $mytok$ in my previous illustration), the macro has a command like index=$input1$ The following will be based on this speculation.  If this is too far from the real macro code, the analysis will not apply although I will try to be as general as can be meaningfully presented. (As you can see, I wouldn't have to make wild guesses which may well be incorrect had you provided relative information.) The second part of the analysis will focus on input options that you can set when setting a multiselect inputs as I exemplified earlier. In your sample code, none of these is set.  In that case, Splunk will use a space as default delimiter, and give no prefix and no suffix.  I have not found the tutorial about input, but definitive information is in input (form).  To help you understand how these choices affect resultant token, I drafted this test dashboard for you to play with: <form version="1.1"> <label>Checkbox test</label> <fieldset submitButton="false"> <input type="checkbox" token="index_scope" searchWhenChanged="true"> <label>Choose console</label> <choice value="1T*">Standard</choice> <choice value="2A*">Scada</choice> <choice value="2S*">AWS</choice> <default>1T*</default> <initialValue>1T*</initialValue> </input> </fieldset> <row> <panel> <table> <search> <query>| makeresults | eval index_scope = "$index_scope$"</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form> The third part of analysis is straightforward with search command.  Understandably, if you select "Standard" from a dropdown, or if only Standard is checked, your macro will get the command search index=1T* (The search command is implied if it is on the first line.  Otherwise you must write it explicitly.)  Now, if you select "Standard" and "Scada", the macro will get search index=1T* 2A* I suspect that you are expecting something like index=1T* OR index=2A* instead.  Is this correct?  One way to do this, obviously, is to set Delimiter to " OR ", and value prefix to "index=".  Note the space before and after keyword "OR" is important. <form version="1.1" theme="light"> <label>Checkbox test</label> <fieldset submitButton="false"> <input type="checkbox" token="index_scope" searchWhenChanged="true"> <label>Choose console</label> <choice value="1T*">Standard</choice> <choice value="2A*">Scada</choice> <choice value="2S*">AWS</choice> <default>1T*</default> <initialValue>1T*</initialValue> <delimiter> OR </delimiter> <valuePrefix>index=</valuePrefix> </input> </fieldset> <row> <panel> <table> <search> <query>| makeresults | eval index_scope = "$index_scope$"</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form>  

I'll preface this with there are some best practices I'm skipping over for a production dashboard - formally creating a lookup & setting permissions, scheduling a saved search (aka report) to create this lookup, etc.  I'm also assuming you have admin access to your environment since this example uses data you would have in your index=_internal.  The important thing here is the concept of referencing a lookup and not having an in-line search. I have attached an XML so you can see the SimpleXML dashboard I created for this example.  The left input dropdown does an in-line search to populate the dropdown values (and this could be what you're seeing as slow).  This means it is searching over, and the right input dropdown still runs a search, but all that search does is load a lookup csv file for the data - it's really quick!   The search I run for the left input is the following, and it is configured in the XML to look over the past 120d: index=_internal | dedup component | table component | sort component   The search I run for the right input is the following, and the timeframe doesn't matter - all it does is load a csv, but the results in that csv lookup are the same format/data as the search above: | inputlookup internal_component_list.csv Note:  that's not the real search that generates the csv.  It is just loading it.  To generate the csv, I ran the following search.  It's real similar to the one for the left dropdown, but I added the outputlookup command to make that csv: index=_internal earliest=-120d | dedup component | table component | sort component | outputlookup internal_component_list.csv You can take this outputlookup search and schedule to run once a week (or however often is appropriate for your data).  The key is this search can be scheduled to run behind the scenes when no one is waiting on the results. I just scheduled it as a report: And its search configuration looks like this:   And for this example I decided to schedule it weekly (but notice that the search looks back 120 days with the earliest=-120d in the SPL).  I'm essentially building my dropdown data weekly from the past 120 days of events in _internal:  

Hi @skyasa You can find what new features are released in our Splunk Enterprise release notes https://docs.splunk.com/Documentation/Splunk/9.1.1/ReleaseNotes/MeetSplunk#What.27s_New_in_9.1 or our What's New in Dashboard Studio release notes https://docs.splunk.com/Documentation/Splunk/9.1.1/DashStudio/WhatNew  I hope that helps!