The content of that field is ALMOST json, which would make it super easy to parse. If it were:
{"field1": "Original", "media": "MediaType", "post": "mu"}
You could use the spath command to parse it.
| spath input=Params
But it isn't, so that's not useful. However, you should be able to use extract without having to use a complex regex.
... | extract pairdelim=";{}" kvdelim=":"
I tested it with the following:
index=* | head 1 | eval _raw="{ field1 : Original; media : MediaType; post : mu}" | extract pairdelim=";{}" kvdelim=":" | table field1 media post
which outputs:
field1
media
post
Original
MediaType
mu
This will be flexible to any kvpairs that happen to show up in the Params field. (Note it'll get weird if the values themselves contain {}:; as that'll be what it's looking for to separate kvpairs)
... View more