I answered my own question! Looks like the issue is in the json that I'm feeding into splunk. Sometimes in the array of players, the last field in the object has a trailing comma.
{
"name":"Stella",
"number": 46,
"positions": ["RF", "2B"],
"lineup_spot":10,
"school":"bollman",
"lineup_spot":10,
}
if I remove that comma and re-index, everything works great. Including the spath command that was previously not returning results. It seems that just one object in the array with an erroneous comma will cause splunk to ignore all the array elements. Thankfully, I can control the json that is input (sorta), so I can fix it rather easily.
... View more