Splunk is able to extract data from JSON format, however there are cases where the data is in list format and Splunk may not be able to associate the key and value accurately. As such, we would need to massage the data a little bit in order to be able to search for the data or get the pair of key and value more accurate.
Here is the sample of search query for massaging the JSON data:
index=<index name>
| spath
| rename TestData{}.Name as property_name, TestData{}.NewValue as property_new_value, TestData{}.OldValue as property_old_value
| eval x=mvzip(property_name, property_new_value, property_old_value)
| mvexpand x
| eval x=split(x, “,”)
| eval property_name=mvindex(x, 0)
| eval property_new_value=mvindex(x, 1)
| eval property_old_value=mvindex(x, 2)
| search property_name=”test_key_name”
| table _time, property_name, property_new_value, property_old_value