There is probably a simple solution to this, but unfortunately I was not able to find the answer in the documentation, nor by searching the community.
I am injecting events into Splunk, with a certain JSON structure, e.g.
[
{ "foo": { "k1": 1, "k2": 2 },
"bar": { "m1": 5, "m2": 6 },
"string1": "hi",
"string2": "bye"
},
{ "foo": { "k1": 11, "k2": 22 },
"bar": { "m1": 55, "m2": 66 },
"string1": "hi2",
"string2": "bye2"
},
... and so on ...
]
I can nicely search these events in Splunk, e.g. by | where foo.k1 > 10
Now when searching through the REST API, I can specify which fields I would like to get, e.g. with | fields string1, foo | fields - _*
The problem I am having is as follows:
The above are all sub-optimal; I would like to get a search result which is pure JSON, and preserves the structure of the "foo" field, so that I would get: { ..., "foo": { "k1": 1, "k2": 2 }, ... }
Or in other words: I would like to pass through some of the event content as is to the result, such that I would get a nice hierarchical data structure when parsing the JSON search result.
Thanks a lot for your valuable advice!