Hi actually there seems to be some non JSON part in the beginning of message. But you can take the JSON part into own field and then use it like ... | rex "(?<json>\{.*\}$)" Then you can use spath with this json field to pick wanted fields and values. INDEXED_EXTRACTIONS = json is good option for pure json events, BUT you need to remember that this generates indexed fields and depending on contents and amount of those it could be good or bad on performance point of view. Another option is use KV_MODE=json on search phase, which didn't blow up your tsidx files. There are place for both of those (but never at same time or you would get duplicate values) or use some other ways too. r. Ismo ... View more