I have okta data. One of the fields - id - contains a whole string of data which includes the browser and the app and the device. The problem is that the device is not consistently in the same location. If the user is trying to access Calendar, it might list the mobile device or the operating system (for Mac or iPhone) at the beginning of the string. Androids appear to list in parens with the version in the middle of the string.

Here are some examples:

Mac+OS+X/10.14 (18A391) CalendarAgent/416

Mozilla/5.0 (Linux; Android 8.1.0; SM-T580) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36

Mozilla/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1 Mobile/15E148 Safari/604.1

I'm using spath for other fields but they come in pairs. I have no idea how to parse this since the devices aren't located in a set place in the string.

Here's a look at the actual json string:

{   [-] 
     action:    {   [-] 
         categories:    [   [-] 
         Sign-in Failure    
         Suspicious Activity    
        ]   
         message:    Sign-in Failed - User is currently locked out  
         objectType:     core.user_auth.login_failed    
         requestUri:     /api/v1/authn  
    }   
     actors:    [   [-] 
        {   [-] 
         displayName:    SAFARI 
         id:     Mozilla/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1 Mobile/15E148 Safari/604.1    
         ipAddress:  XXX.XX.XXX.XXX 
         objectType:     Client 
        }   
    ]   
     eventId:    tevoAE1o350RMaoTKZTQFuBhQ1555012915000 
     published:  2019-04-11T20:01:55.000Z   
     requestId:  XK@dMhHceXrbWBajIF8MnQAABPI    
     sessionId: 
     targets:   [   [-] 
        {   [+] 
        }   
    ]   
}

Any advice?