There is probably a simple solution to this, but unfortunately I was not able to find the answer in the documentation, nor by searching the community.

I am injecting events into Splunk, with a certain JSON structure, e.g.

[
  { "foo": { "k1": 1, "k2": 2 },
    "bar": { "m1": 5, "m2": 6 },
    "string1": "hi",
    "string2": "bye"
  },
  { "foo": { "k1": 11, "k2": 22 },
    "bar": { "m1": 55, "m2": 66 },
    "string1": "hi2",
    "string2": "bye2"
  },
  ... and so on ...
]

I can nicely search these events in Splunk, e.g. by | where foo.k1 > 10

Now when searching through the REST API, I can specify which fields I would like to get, e.g. with | fields string1, foo | fields - _*

The problem I am having is as follows:

• When specifying the field "foo" - which has a map (or some other complex structure) in the above naive way, I am not getting any contents from it in my search result (the results are nicely visible in the event view of the Splunk web UI - but in the REST API)
• When using fields foo*, I am getting an expanded result:
  { "foo.k1": 1, "foo.k2": 2 }
• I tried spath, like in: | spath output=myfoo path=foo | fields myfoo | fields - _*
  which however gives me a string that contains JSON:
  {"myfoo": "{\"k1\": 1,\"k2\": 2}"}

The above are all sub-optimal; I would like to get a search result which is pure JSON, and preserves the structure of the "foo" field, so that I would get: { ..., "foo": { "k1": 1, "k2": 2 }, ... }

Or in other words: I would like to pass through some of the event content as is to the result, such that I would get a nice hierarchical data structure when parsing the JSON search result.

Thanks a lot for your valuable advice!