This problem is not well defined.  But before that, I would caution any data truncation in props.conf. Anyway, you need to prescribe a formula/criterion you want this done.  Are you using the front part (that you discard) or the end part (that you want to preserve) to make the determination?  If front, how are you going to determine that is the front part?  If end, how are you going to determine that it is the end part?  Without giving us this information, there can be a million ways to make this specific log entry trimmed, but most of these methods will fail you in general. One example to do this in the front could be: | eval _raw = replace(_raw, ".*util.SplunkUtil : ", "") Here, I'm assuming that util.SplunkUtil and the spacing are fixed values. One example of using the end to do the same could be | eval _raw = replace(_raw, ".*: *(\[LOGIN_\w+\]|.+)", "\1") Here, I assume that the colon and LOGIN_* in square brackets are the fixture. As you can see, the combinations are infinite.  What exactly is your design?

Maybe you can explain what is the significance of that top level key "2023-03-16"?  And is the phrase   There ought to be some semantic significance that it changes every day.  Also, is that the only top level key?  If so, I'd say that the developers are making a poor design.  Same can be said about the second level key ("1", "2", ...), which seems to be semantically redundant as third-level key "id".  If you have any influence over developers, maybe suggest that they get rid of second-level key, and just make an array with the 3rd level objects. Anyway, I am not going to assume any semantic significance of the top level key(s?) for now.  I also assume that your desire to use wildcard search is about search in those 3rd level keys such as "name" and "email".  To my understanding, you want a simple search such as name = "michael *" late = "true" without having to confront field names such as 2023-03-16.1.name. This is something you can try:     | spath path=employees | eval date = json_array_to_mv(json_keys(employees)) | mvexpand date | eval day_employees = json_extract(employees, date) | eval employee_id = json_array_to_mv(json_keys(day_employees)) | mvexpand employee_id | eval day_employees = json_extract(day_employees, employee_id) | spath input=day_employees     Your sample data (single date, two id) would give these field values: (There are too many fields so the following is transposed.) fieldname 1 2 _mkv_child 0 1 activeProject.duration   6027 activeProject.project_id   67973 activeProject.project_title   Blue Book activeProject.task_id   42282 activeProject.task_title   Blue Book task afterWorkTime 0 0 arrived false 2023-03-16 09:17:00 atWorkTime 0 6060 beforeWorkTime 0 0 date 2023-03-16 2023-03-16 desktimeTime 0 6027 efficiency 0 14.75 email demo@desktime.com demo3@desktime.com employee_id 1 2 group Accounting Marketing groupId 1 106345 isOnline false true late false true left false 2023-03-16 10:58:00 name Michael Scott Andy Bernard notes.Background   Law and accounting notes.Skype Find.me   notes.Slack MichielS   offlineTime 0 0 onlineTime 0 6027 productiveTime 0 4213 productivity 0 69.9 profileUrl url.com url.com work_ends 00:00:00 18:00:00 work_starts 23:59:59 09:00:00 Here is an emulation that you can play with and compare with real data   | makeresults | eval _raw = "{ \"employees\": { \"2023-03-16\": { \"1\": { \"id\": 1, \"name\": \"Michael Scott\", \"email\": \"demo@desktime.com\", \"groupId\": 1, \"group\": \"Accounting\", \"profileUrl\": \"url.com\", \"isOnline\": false, \"arrived\": false, \"left\": false, \"late\": false, \"onlineTime\": 0, \"offlineTime\": 0, \"desktimeTime\": 0, \"atWorkTime\": 0, \"afterWorkTime\": 0, \"beforeWorkTime\": 0, \"productiveTime\": 0, \"productivity\": 0, \"efficiency\": 0, \"work_starts\": \"23:59:59\", \"work_ends\": \"00:00:00\", \"notes\": { \"Skype\": \"Find.me\", \"Slack\": \"MichielS\" }, \"activeProject\": [] }, \"2\": { \"id\": 2, \"name\": \"Andy Bernard\", \"email\": \"demo3@desktime.com\", \"groupId\": 106345, \"group\": \"Marketing\", \"profileUrl\": \"url.com\", \"isOnline\": true, \"arrived\": \"2023-03-16 09:17:00\", \"left\": \"2023-03-16 10:58:00\", \"late\": true, \"onlineTime\": 6027, \"offlineTime\": 0, \"desktimeTime\": 6027, \"atWorkTime\": 6060, \"afterWorkTime\": 0, \"beforeWorkTime\": 0, \"productiveTime\": 4213, \"productivity\": 69.9, \"efficiency\": 14.75, \"work_starts\": \"09:00:00\", \"work_ends\": \"18:00:00\", \"notes\": { \"Background\": \"Law and accounting\" }, \"activeProject\": { \"project_id\": 67973, \"project_title\": \"Blue Book\", \"task_id\": 42282, \"task_title\": \"Blue Book task\", \"duration\": 6027 } } } }, \"__request_time\": \"1678957028\" }" ``` data emulation above ```