So I found this problem annoying enough to write a custom search command to solve it. Maybe someday the Splunk UI will off an "expand all" feature, making nested JSON structures easier to navigate, but in the meantime this is what I do.
I have an app called JMESPath that includes an extra helper search command called jsonformat that does exactly what you're looking for. If your event is a JSON string, you can just call ... | jsonformat and it will replace the _raw field (the text of your event) with a formatted JSON string. This can also optionally sort the JSON object, set a custom indentation level, or format json fields (like after calling spath ). There are many possibilities.
For more examples and use cases, see the jsonformat command reference.
... View more