Hi AlGon
I just looked at this again, my previous answer was incorrect which I deleted.
If you set CIM fields in the logging library, today, they are appended as key-value-pairs in the message. The logging libraries (log4j etc) are not built around objects. That message is then forwarded on within the JSON payload which HEC requires. Splunk does not support extracting kvp from a value of a field in a JSON object today. If it did, this would not be a problem and the fields would be properly extracted. We have a filed a bug for this and are exploring potentially fixing this in the future. We're also adding support in HEC for sending raw payloads (we have this already in cloud), so we may be able to add support in our logging libraries, which would also solve the problem.
In the interim, one option is to explore is using regex extractions to extract the fields. I've done some spiking on this which I posted here. Basically it introduces a sourcetype which extracts any kvp it finds in the "event" value. The same approach may work for your need.
... View more