Skip to main content
Question

Access specific repeated UDM labels in Dashboards (UDM Search)

  • February 12, 2026
  • 1 reply
  • 0 views
pranay_mak
Forum|alt.badge.img

I’m struggling with a use case involving repeated fields in UDM and was wondering if anyone has found a viable workaround or if this should be flagged as a bug/feature gap.

The Use Case

I want to create a UDM Dashboard with a pie chart showing the distribution of values for a specific label key (e.g., source_name).

The Data Structure

My ingested events contain multiple entries in the metadata.source_labels array. For example:

  • key: "source_name", value: "Kaspersky"

  • key: "source_score", value: "100"

  • key: "source_name", value: "Symantec"

  • key: "source_score", value: "200"

  • ... (and 10 other unrelated labels)

The Problem

When I try to write the query for the dashboard, I encounter two main issues:

  1. Over Counting: If I use graph.metadata.source_labels.key = "source_name" in event section and then count(graph.metadata.source_labels.value) in the outcome section, the system flattens the entire array. Instead of counting "Kaspersky" and "Symantec", it returns a count of 12 because it counts every value present in the labels array for that event.

  2. Indexing Limitation: If I try to access the key directly using graph.metadata.source_labels["source_name"] syntax, it only retrieves the first instance of that key. In the example above, it sees "Kaspersky" but completely ignores "Symantec," leading to inaccurate data in my pie chart.

Questions

  1. Is there a way in UDM Search or Dashboards to filter repeated keys so the count only applies to values where the key matches a specific string?

  2. Has anyone successfully used a any logic in Dashboard queries to handle multiple instances of the same key within one event?

This is a frequent requirement for threat intel and multi source telemetry. If this isn't currently possible, I’d like to understand if this is a known limitation or if a bug should be raised.

Thanks in advance!

1 reply

jstoner
Staff
Forum|alt.badge.img+23
  • jstoner
  • Staff
  • February 12, 2026

I don’t have multiple source_names keys to attempt to replicate exactly what you have. However I do have graph.entity.asset.attribute.labels both with a key of ancestors.

 

For your first question, I wonder if you should use count_distinct to get a better count?

I tested this in search and got an expected result. I will say that I opened a ticket around dashboards because that isn’t consistent and I need someone to run down why that is.

$b = count_distinct(graph.entity.asset.attribute.labels["ancestors"])

 

 

Regarding the second question, I could not get to that second value directly using the key/value notation because once it finds the first one it moves on. A way to solve that is to add criteria like what I have below and specify exactly the key and value as two pieces of logic in the search or dashboard.

 

graph.entity.asset.attribute.labels.value = "organizations/123445677"

graph.entity.asset.attribute.labels.key = "ancestors"

 

 

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.