Your problem is particularly tricky because your keys are IP addresses, and hence contain dots.

I had a similar problem to you and managed to solve my case, but when I tried to apply the same solution to your data it didn't work, and the extra complication is the dots within the field names.

For the benefit of anyone else who stumbles across this question with keys that do not contain dots, here is search that demonstrates the solution:

| stats count | eval _raw="{ \"key1\":{ \"name\" : \"server1\" }, \"key2\":{ \"name\" : \"server2\" } }" | eval extract_key="key2" | spath | eval desired_name=spath(_raw, extract_key.".name")

(Obviously instead of the stats count and eval _raw you'd be searching an index to get your _raw data.)

The magic is that the spath() eval function can accept a variable for its second argument. By contrast the spath command cannot accept a variable for the path - it treats unquoted paths as literals.

However, changing "key1" and "key2" to IP addresses in the above example breaks it. The problem is that spath uses dots as fieldname separators so when passing an IP address to the spath eval function it looks for a top level object called "10" with a nested object called "10" with a nested object called "1", etc.

To summarise, because dots are separators it's impossible to search for field names containing dots with spath, but it IS possible to "dereference" a field as long as no fields on the path to it contain dots.