Thanks @gcusello For example I am trying to see how I can extract the ip whenever it is after the text: "Source device","values":[{"ip": Log: {"type":"device","key":"Source device","values":[{"ip":"10.10.10.10","mac" try the following statement but it didn't work: | rex field=_raw ".*,\"Source device\",\"values\":"\[\{\"ip\":"(?<src_ip2>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\",\"mac\"" "Source device\",\"values\":"\[\{\"ip\": | rex field=_raw "(?<src_ip2>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | rex field=_raw "Source device,value:\S{\w+:(?<src_ip2>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
... View more