There are numerous questions/answers about extracting nested JSON data, but none of those answers seem to apply to what I am attempting to do.

Given the following JSON data as indexed by Splunk:

{
  "disks": {
    "nvme0n1": {
      "model": "PC401 NVMe SK hynix 512GB",
      "serial": "123",
      "size": "476.94 GiB",
      "size_bytes": 512110190592,
      "type": "ssd",
    },
    "sda": {
      "model": "SK hynix SC401 S",
      "serial": "456",
      "size": "953.87 GiB",
      "size_bytes": 1024209543168,
      "type": "ssd",
      "vendor": "ATA",
    },
    "sdb": {
      "model": "SD/MMC CRW",
      "serial": "789",
      "size": "0 bytes",
      "size_bytes": 0,
      "type": "hdd",
      "vendor": "Generic-"
    },
  }
}

I want to produce a table like this:

              host     disk                      model  serial        size  type
--------------------------------------------------------------------------------
myhost.example.org  nvme0n1  PC401 NVMe SK hynix 512GB     123  476.94 GiB   ssd
myhost.example.org      sda           SK hynix SC401 S     456  953.87 GiB   ssd
myhost.example.org      sdb                 SD/MMC CRW     789     0 bytes   hdd
--------------------------------------------------------------------------------

I can go after an individual disk, like so:

search … |
dedup host |
spath output=disk "disks.sda" |
mvexpand disk |
spath input=disk |
table host model serial size type

…but how to perform this step for each disk in the disks array eludes me. Does anyone have any solutions?

A related question: where is SPL documented to such a degree where one could reasonably understand how to perform this type of extraction? Splunk documents the individual commands, but doesn’t really explain how to tie them together to create more complex actions, and the Exploring Splunk: Search Processing Language (SPL) Primer and Cookbook doesn’t even come close to explaining how to perform a complex action like this. Are there others tutorials/primers?