"A security-enabled local group membership was enumerated." sounds like represented by a unique event_id.  Get rid of them in the search.  If there are specific key words/phrases that cannot be represented by event_id, the best is to use search term to eliminate.  Finally, if there are feature words that are too hard to construct using search terms, you can use regex to eliminate.  index=example sourcetype=wineventlog computer_name="example" NOT event_id IN (fluff_id1, fluff_id2, fluff_id3) NOT "fluff term1" NOT "fluff term2" NOT "fluff term3" | where NOT match(_raw, "fluff[r]egex1|fluf[f]regex2|fluf[fr]egex3") Not sure how transaction gets into the picture, however. ... View more

Let me simplify your problem statement by eliminating JSON path from the equation.  The requirements are simply these: In a dashboard, there is a dropdown input token, say SomeToken. SomeToken has a fixed, predefined entry with label "All". The rest of choices for SomeToken are populated by a search.  I will call this search <tokenSearch>. Events in dashboard panel may or may not contain a field of interest named SomeField. If the user selects "All" (predefined, fixed value), all events should be returned regardless of SomeField. If the user selects any other value populated by <tokenSearch>, only events with SomeField = SomeToken should be returned. (In your case, SomeField is resourceSpans{}.scopeSpans{}.spans{}.attributes{}.value.stringValue, and you call SomeToken Token_Mr_jobId.) @livehybrid already gives the solution: Do not return only SomeFieldValue in <tokenSearch> and use the value to populate both input label and input value.  Use a different strategy in <tokenSearch>, i.e., return SomeFieldValue as input label, and "SomeField=SomeFieldValue" as input value. <fieldForLabel>SomeFieldValue</fieldForLabel> <fieldForValue>SomeField=SomeFieldValue</fieldForValue>​ Then, in your panel search, do not use "SomeField = $SomeToken$".  Instead, simply insert $SomeToken$ as a search term. One more suggestion: Do not use a pipe between your index search and the tokenized filter if SomeField is already extracted at search time.  This unnecessarily burdens Splunk. In the following demo dashboard, SomeField is substituted with thread_name from index _internal; thread_name_tok is SomeToken.  The key here is <tokenSearch>: index=_internal component=* | stats values(thread_name) as token_label | mvexpand token_label | eval token_value = "thread_name=" . token_label This search differs from yours in one critical step: the last eval sets token_value to a search term involving field name thread_name, not a simple value of this field.  Then, token_label and token_value are used to populate input label and value, respectively.  In this example, I set "All" label to a zero-length character as value, which is equivalent to * in search command but more economical. Full demo dashboard as follows.  Play with it and fit it into your dataset. <form version="1.1" theme="light"> <label>Search for a path the might not exist</label> <description>https://community.splunk.com/t5/Splunk-Search/Search-for-a-path-the-might-not-exist/m-p/746683#M241692</description> <fieldset submitButton="false"> <input type="dropdown" token="thread_name_tok" searchWhenChanged="true"> <label>Select thread_name</label> <choice value="">All events</choice> <default></default> <fieldForLabel>token_label</fieldForLabel> <fieldForValue>token_value</fieldForValue> <search> <query>index=_internal component=* | stats values(thread_name) as token_label | mvexpand token_label | eval token_value = "thread_name=" . token_label</query> <earliest>-15m</earliest> <latest>now</latest> </search> </input> </fieldset> <row> <panel> <title>Token value of your selection: &gt;$thread_name_tok$&lt;</title> <event> <search> <query>index=_internal component=* $thread_name_tok$</query> <earliest>-15m</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> </event> </panel> </row> </form> Hope this helps. ... View more

Before anything, let me first say that when you post JSON event sample, always use "Show raw text" before copying.  This helps others help you.  Secondly, as @bowesmana says, it is really unclear what you are asking.  You already know the value "Workflows Administrator".  Do you mean to search for this value and display other related key-value pairs?  Or do you mean there are other possible values from the 3rd array element of target[] that you want to know how to reach that correct array element? If former, you need to specify which key-value pairs in that element are of interest.  If latter, there are many ways, including a method that does not do "extracting" because Splunk by default has done that for you.  But before doing that, you need to use Splunk's flattened-structure notation, not invented names like targetUserDisplayName. (Splunk's notation is target{}.displayName for this one.) Anyway, assuming the latter, @bowesmana already showed you several ways.  Here I first present a formulae approach to reach every JSON array node in SPL: spath + mvexpand.  But before I show any code, you need to perform the most critical task:  to understand how that element is different from other elements in the same array, all of them having a key displayName.  In order to make this determination, you need to carefully study the data.  The differentiating factor among those elements is the JSON key type in that array.  So, you would be looking for the element whose type is CUSTOM_ROLE. index=okta "debugContext.debugData.privilegeGranted"="*" | fields - target{}.* | spath path=target{} | mvexpand target{} | spath input=target{} | where type == "CUSTOM_ROLE" | rename actor.displayName as "Actor", displayName as "Target Name", alternateId as "Target ID", description as "Action", debugContext.debugData.privilegeGranted as "Role(s)" | table Time, Actor, Action, "Target Name", "Target ID", Action, "Role(s)" With this approach, you can handle any JSON array. If you don't want to (re)extract everything in the array - there are occasions when mvexpand can be too expensive, here is a quirky method that can do the same thing: capture the value of target{}.displayName and target{}.alternateId corresponding to target{}.type of CUSTOM_ROLE. index=okta "debugContext.debugData.privilegeGranted"="*" | eval type_index = mvfind('target{}.type', "CUSTOM_ROLE") | eval "Target Name" = mvindex('target{}.displayName', type_index) | eval "Target ID" = mvindex('target{}.alternateId', type_index) | rename actor.displayName as "Actor", description as "Action", debugContext.debugData.privilegeGranted as "Role(s)" | table Time, Actor, Action, "Target Name", "Target ID", Action, "Role(s)" ... View more