none of these answers solves the root problem -- particularly in scenarios where the text log contains a json blob with nested json structure. It is quite confusing that spath command is not available in props.conf -- using spath in search is not an option for things like SIEMs where parsing needs to be done 'automatically' in order to fit into given data models or to map for CIM compliance.
... View more