@bshega, please try the following search
index=iot-productiondb source=Users
| eval _raw=replace(_raw,"\\\\\"","\"")
| rex "additional_info=\"\"(?<additional_info>[^}]+})"
| spath input=additional_info
Following is a run anywhere search to extract JSON data using rex (first _raw data is cleaned up using replace() function). Then additional_info field is extracted from _raw event using rex command. Finally spath is applied on the additonal_info field:
| makeresults
| eval _raw=" 2017-01-04 16:41:34.439, id=\"60\", created_at=\"2017-01-04 16:41:34.43926\", updated_at=\"2017-01-04 16:41:34.43926\", email=\"\", encrypted_password=\"\", token=\"\", first_name=\"Brandon\", last_name=\"Shega\", additional_info=\"\"{\\\"address_2\\\":\\\"\\\",\\\"city\\\":\\\"North Olmsted\\\",\\\"zip_code\\\":\\\"44070\\\",\\\"country\\\":\\\"us\\\",\\\"address_1\\\":\\\"23500 Al Moen Dr\\\",\\\"state\\\":\\\"Ohio\\\"}\"\""
| eval _raw=replace(_raw,"\\\\\"","\"")
| rex "additional_info=\"\"(?<additional_info>[^}]+})"
| spath input=additional_info
PS: Sample data generate using | makeresults and |eval raw=.... has escaped characters in order to generate raw data as per the question.
... View more