Alright I'm going to give you a sample here. Working with JSON can be a little bit tricky but it's usually very possible if it's valid JSON. Since I don't have your exact events I'll show you what I used as a test case.
This was my sample.json file
{
"version": "1.0",
"bar": [{
"barName": "name1",
"moreRecords": [{
"test": "1"
}]
}, {
"barName": "name2",
"moreRecords": [{
"test": "2"
}]
}]
}
If I use this as test data and imported it into Splunk using the following props.conf
[test_json_sourcetype]
KV_MODE = json
DATETIME_CONFIG = CURRENT
I do get data extracting correctly. I'm then able to run the following search:
index=test | spath path=bar{} output=x | mvexpand x | spath input=x | table barName moreRecords{}.test | rename moreRecords{}.* as * | search barName=name1
And that gets me the following output
... View more