One thing to note, timestamp extraction for events is not essential. I am happy to use IDX time time stamping.
As you'll probably have already noticed, using default JSON extractions, Splunk will create fields for data.page, data.page_title, data.active_visitors.
But this creates a problem...
An example of why: I want to char data.page by data.active_vistors. Using default extractions, Splunk lumps all values for data.page and active.visitors into fields, but because they are all in the same event it is impossible to associate the correct data.page value to the data.active_visitors value.
Leading into my question....
What is the best way to handle this event, to achieve my example above? Should I be trying to break the events before before they get indexed? Or can I manipulate the search to handle it?
"Spewed out of an API endpoint"... Could you describe more of how this data is being retrieved and fed to splunk? I wonder if while you might not be able to change the request, if you could manipulate the response before ingestion is an option.