Looks like you have JSON embedded in JSON – Splunk doesn’t ‘know’ that nested JSON should be another JSON: it views it as the contents of the higher-level JSON item.
The way to handle this is either:
-
don’t encapsulate JSON inside JSON
-
use inline
rexstatements orprops.conf/transforms.confto handle field extractions
from User warren – Stack Overflow https://stackoverflow.com/questions/74010227/why-doesnt-splunk-convert-log-in-json-format-to-json/74021895#74021895
via IFTTT