After having played around with the 'jsonkv' tool in the 'jsonutils' app on SplunkBase, I got stuck on parsing array values.
Fortunately Splunk 5 has a search command 'spath' that does the job.
http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Spath
I had to extract the JSON component of my log entry into its own field and pass it to |spath input=raw_json, then the rest worked as documented.
... View more