OK. I think I already told you about badly formed data. While in some cases you can argue which json structure will be better to represent your data, this one is clearly not a good approach. Especial...
See more...
OK. I think I already told you about badly formed data. While in some cases you can argue which json structure will be better to represent your data, this one is clearly not a good approach. Especially for Splunk. Let's take this snippet: "enemy_information": ["name", "location", "powers" ], "enemy_information_values": [ [ "Doomsday", "Kryptonian Prison", [ "Super Strength", [...] "Immunity to Kryptonite"] ] [...] There is no structural relation between enemy_information and enemy_information_values. From Splunk's point of view those will parse out (leaving aside possibly nested multivalued fields which is not straightforward to deal with) as two separate multivalued fields with no relationship whatsoever between the values from one field and values from the other. If anything it should be either "enemy_attributes": {"name": "Doomsday". "location": "Seattle, WA" [...]}, or "enemy_attributes": [ {"name":"name", "value": "Doomsday"}, {"name": "location", "value":"Paris, France"} ...] Each option has its pros and cons but the one you're presenting only seems to have cons.