I would like to get the list of those items in the properties field, like appName, levelId, etc.
Thank you guys, it worked!What is the best option to correctly fix the JSON quote?
Fix it at source, i.e. get the application to do it properly in the first place! 😀
As it doesn't appear to be correctly quoted JSON, spath won't work, so try
| rex field=properties "appname.:.(?<appname>[^']*).*levelId.:[^\d]*(?<levelId>\d+)"
Not particularly robust, but should work in this example
As @bowesmana pointed out, it doesn't appear to be correctly quoted JSON, so you could fix that, then use spath
| eval properties=replace(properties,"'","\"") | spath input=properties
