I was able to solve this by creating two field transforms like the following that handle the case where the values are in quotes (e.g., key1="value1 with spaces" ) as well as the case where they aren't (e.g., key1=value1withoutspaces ). json_msg_transform_with_quotes (?P<_KEY_1>\w+)="(?P<_VAL_1>[^"]*)" json_msg_transform_without_quotes (?P<_KEY_1>\w+)=(?P<_VAL_1>[^"\s]+) I then wired up two new field extractions that use those transforms on the desired source type, and I'm now seeing all the fields (both those from the raw JSON event as well as those embedded in the msg field) available at query time. ... View more