Answers prior to the release of Splunk 4.3 in January 2012 are somewhat out of date. In that release, indexed JSON can now be extracted as structured JSON fields, either automatically via a new KV_MODE = json setting, or on-demand using the new spath search command. There is no need to create a new search command, and you don't need to flatten or reformat the input.
... View more