The most important lesson you can learn here is: Don't join.  Meanwhile, your description is inconsistent about which field is really hostname, and even which index is "main".  The following will mimic what you get but with better performance. (index=infrastructure_reports source=nutanix_vm_host_report) OR (index=syslog_main source=/var/log/messages sourcetype=linux_messages_syslog path=/tmp/jira_assets_extract.ini) |eval block = coalesce(block, 'spec.name') | fields block spec.cluster spec.resources.memory_size_mib operating_system | stats values(*) as * by block I vaguely get the sense that the "main" index - I assume that's infrastructure which produces spec.name field - lacks domain.com in some events, causing missed matches.  You cannot solve this problem by wildcard. One key piece of information you also did not clarify is what possible values of "domain.com" are, given that this is simply a stand-in string.  If there are more than one value for "domain.com", and "name" part could match multiple "domain.com" and represent different hostnames, your problem is unsolvable. The only way the problem is solvable is if "domain.com" doesn't matter, i.e., if "name" part is unique for any hostname.  If this is the case, you can strip out the "domain.com" part in spec.name. (index=infrastructure_reports source=nutanix_vm_host_report) OR (index=syslog_main source=/var/log/messages sourcetype=linux_messages_syslog path=/tmp/jira_assets_extract.ini) | rex field=spec.name "^(?<block>[^\.]+)" | fields block spec.cluster spec.resources.memory_size_mib operating_system | stats values(*) as * by block   ... View more

"A security-enabled local group membership was enumerated." sounds like represented by a unique event_id.  Get rid of them in the search.  If there are specific key words/phrases that cannot be represented by event_id, the best is to use search term to eliminate.  Finally, if there are feature words that are too hard to construct using search terms, you can use regex to eliminate.  index=example sourcetype=wineventlog computer_name="example" NOT event_id IN (fluff_id1, fluff_id2, fluff_id3) NOT "fluff term1" NOT "fluff term2" NOT "fluff term3" | where NOT match(_raw, "fluff[r]egex1|fluf[f]regex2|fluf[fr]egex3") Not sure how transaction gets into the picture, however. ... View more

Let me simplify your problem statement by eliminating JSON path from the equation.  The requirements are simply these: In a dashboard, there is a dropdown input token, say SomeToken. SomeToken has a fixed, predefined entry with label "All". The rest of choices for SomeToken are populated by a search.  I will call this search <tokenSearch>. Events in dashboard panel may or may not contain a field of interest named SomeField. If the user selects "All" (predefined, fixed value), all events should be returned regardless of SomeField. If the user selects any other value populated by <tokenSearch>, only events with SomeField = SomeToken should be returned. (In your case, SomeField is resourceSpans{}.scopeSpans{}.spans{}.attributes{}.value.stringValue, and you call SomeToken Token_Mr_jobId.) @livehybrid already gives the solution: Do not return only SomeFieldValue in <tokenSearch> and use the value to populate both input label and input value.  Use a different strategy in <tokenSearch>, i.e., return SomeFieldValue as input label, and "SomeField=SomeFieldValue" as input value. <fieldForLabel>SomeFieldValue</fieldForLabel> <fieldForValue>SomeField=SomeFieldValue</fieldForValue>​ Then, in your panel search, do not use "SomeField = $SomeToken$".  Instead, simply insert $SomeToken$ as a search term. One more suggestion: Do not use a pipe between your index search and the tokenized filter if SomeField is already extracted at search time.  This unnecessarily burdens Splunk. In the following demo dashboard, SomeField is substituted with thread_name from index _internal; thread_name_tok is SomeToken.  The key here is <tokenSearch>: index=_internal component=* | stats values(thread_name) as token_label | mvexpand token_label | eval token_value = "thread_name=" . token_label This search differs from yours in one critical step: the last eval sets token_value to a search term involving field name thread_name, not a simple value of this field.  Then, token_label and token_value are used to populate input label and value, respectively.  In this example, I set "All" label to a zero-length character as value, which is equivalent to * in search command but more economical. Full demo dashboard as follows.  Play with it and fit it into your dataset. <form version="1.1" theme="light"> <label>Search for a path the might not exist</label> <description>https://community.splunk.com/t5/Splunk-Search/Search-for-a-path-the-might-not-exist/m-p/746683#M241692</description> <fieldset submitButton="false"> <input type="dropdown" token="thread_name_tok" searchWhenChanged="true"> <label>Select thread_name</label> <choice value="">All events</choice> <default></default> <fieldForLabel>token_label</fieldForLabel> <fieldForValue>token_value</fieldForValue> <search> <query>index=_internal component=* | stats values(thread_name) as token_label | mvexpand token_label | eval token_value = "thread_name=" . token_label</query> <earliest>-15m</earliest> <latest>now</latest> </search> </input> </fieldset> <row> <panel> <title>Token value of your selection: &gt;$thread_name_tok$&lt;</title> <event> <search> <query>index=_internal component=* $thread_name_tok$</query> <earliest>-15m</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> </event> </panel> </row> </form> Hope this helps. ... View more