I know this is a very old question, but I ended up here when searching for a solution. In my case, I had two problems that were preventing the automatic syntax-highlighting. First, in some cases, we had "invalid" JSON. Specifically, we had a field that was duplicated (i.e. we had two "method" fields in our output). The second problem (that required setting "max lines" to "all lines" was that we were pretty-printing our JSON into the logs. This looked better when looking at the logs directly, but then Splunk only saw the first 5 lines (default Max Lines) and didn't syntax-highlight it unless we selected "all lines' for "max lines" in the "format" dropdown.
So, make sure the JSON is valid and that it's all printed on one line.
... View more