Been wrestling with this issue for a while now... I have a search like the below (sensitive information redacted). This works when using it in a regular search. When adding it as a dashboard panel it doesn't work. The weird thing is, it works in some dashboards/apps but not others:

index=xxxx_logs container_name="organization-api" namespace=pvcs "update" UserController
| spath input=log
| search action=update 
| eval corrId=spath(log,"request_id")
| eval params=spath(log,"params")
| rex field=params "(?P<parameters>[^\"]+\"\:\"[^\"]+)" max_match=0
| rex field=parameters mode=sed "s/\"\:\"/: /g"
| eval userID=spath(params,"id")
| eval username=spath(params,"login_name")
| join corrId 
   [search index=xxxx_logs container_name="lbo" audit
    | spath input=log
    | eval corrId=spath(log,"corrId")
    | eval byUser=spath(log,"byUserId")]
| table _time,controller,action,userID, username,parameters,request_id,byUser
| sort _time

The only error that comes up in the job inspector is:
"No matching fields exist"

This says to me that the search can't or doesn't run spath or for one reason or another can't extract the fields necessary to do the sub-search. The weird thing is, I can copy/paste this into another dashboard or run it separately as a search and it works fine. I've gone through the app and the dashboard source but I don't see anything that would be different between them configuration wise.

I've tried including | fields=* to try and force verbose mode. I've also tried setting permissions as high as they'll go on the app/dashboard hoping this would fix it but nada... thoughts?