There is probably a simple solution to this, but unfortunately I was not able to find the answer in the documentation, nor by searching the community. I am injecting events into Splunk, with a certain JSON structure, e.g.   [ { "foo": { "k1": 1, "k2": 2 }, "bar": { "m1": 5, "m2": 6 }, "string1": "hi", "string2": "bye" }, { "foo": { "k1": 11, "k2": 22 }, "bar": { "m1": 55, "m2": 66 }, "string1": "hi2", "string2": "bye2" }, ... and so on ... ]       I can nicely search these events in Splunk, e.g. by | where foo.k1 > 10 Now when searching through the REST API, I can specify which fields I would like to get, e.g. with | fields string1, foo | fields - _* The problem I am having is as follows: When specifying the field "foo" - which has a map (or some other complex structure) in the above naive way, I am not getting any contents from it in my search result (the results are nicely visible in the event view of the Splunk web UI - but in the REST API) When using fields foo*, I am getting an expanded result: { "foo.k1": 1, "foo.k2": 2 } I tried spath, like in: | spath output=myfoo path=foo | fields myfoo | fields - _* which however gives me a string that contains JSON: {"myfoo": "{\"k1\": 1,\"k2\": 2}"} The above are all sub-optimal; I would like to get a search result which is pure JSON, and preserves the structure of the "foo" field, so that I would get: { ..., "foo": { "k1": 1, "k2": 2 }, ... } Or in other words: I would like to pass through some of the event content as is to the result, such that I would get a nice hierarchical data structure when parsing the JSON search result. Thanks a lot for your valuable advice! ... View more