Splunk Blog Eureka! Extracting key-value pairs from JSON fields

With the rise of HEC (and with our new Splunk logging driver), we're seeing more and more of you, our beloved Splunk customers, pushing JSON over the wire to your Splunk instances. One common question we're hearing you ask, how can key-value pairs be extracted from fields within the JSON? For example imagine you send an event like this:{"event":{"name":"test", "payload":"foo=bar\r\nbar=\"bar bar\"\tboo.baz=boo.baz.baz"}}This event has two fields, name and payload. Looking at the payload field however you can see that it has additional fields that are within as key-value pairs. Splunk will automatically extract name and payload, but it will not further look at payload to extract fields that are within. That is, not unless we tell it to.Field...