If the source is conforming JSON, you shouldn't need to use regex to extract such data. If the above is how a fully line looks like, the full JSON message is perhaps something like {...,"somekey":
"Source device","values":[{"ip":"10.10.10.10","mac"
:"12:34:56:78:9a:bc"},...],...} But no matter how the full JSON message is broken up in multiple lines, spath should be able to handle it. Using a build-in command/function to extract structured data is much more robust. So, I recommend to focus on getting the full JSON message. Assuming the JSON message is in jsonfield, the following will catch the source device | spath input=jsonfield
| where somekey == "Source device"
| rename values{}.* AS source_* The source IP address, for example, will be in source_ip field.
... View more