Регулярное выражение для OSSEC

\Wname":".+ Имя ":" (+.)"}," + Src_ip. ":" (\ D + \ d + \ d + \ D +...) " "Dst_ip":"(\d+ \. d + \ d + \ d +)", "+ тяжесть":... (\ д д \)

Это регулярное выражение, которое я использую сейчас для журнала ниже.

2017-09-07 12:40:18 User.Info   192.168.1.242   2017-08-15T16:31:24.0+05:30 192.168.1.242 McAfee_SIEM: {"source":{"id":144117387870863360,"name":"1.NLB Correlation Engine","subnet":"::0/128","host":""},"data":{"unique_id":1568068332,"alert_id":1568025262,"thirdpartytype":47,"sig":{"id":4000114,"name":"Recon - Possible Probing by a Single Source IP"},"norm_sig":{"id":135266304,"name":"Misc Form of Reconnaissance"},"action":"13","src_ip":"10.10.20.23","dst_ip":"10.10.20.23","src_port":0,"dst_port":0,"protocol":"n/a","src_mac":"00:00:00:00:00:00","dst_mac":"00:00:00:00:00:00","firsttime":"2017-08-15T11:01:24Z","lasttime":"2017-08-15T11:01:24Z","writetime":"2017-08-15T11:22:11Z","src_guid":"","dst_guid":"","total_severity":29,"severity":29,"eventcount":1,"flow":"0","vlan":"0","sequence":0,"trusted":2,"session_id":0,"compression_level":10,"reviewed":0,"AppID":"VIRUSCAN","Object_Type":"access protection","Filename":"13147265183603-PROPOSEACTIONS.DUMP","HostID":"VCSVR-TEST","UserIDDst":"NT AUTHORITY\u005CSYSTEM","Destination_Filename":"C:\u005CPROGRAMDATA\u005CVMWARE\u005CVMWARE VIRTUALCENTER\u005CLOGS\u005CDRMDUMP\u005CCLUSTER22\u005C13147265183603-PROPOSEACTIONS.DUMP","Device_Action":"would deny create","Detection_Method":"OAS","Process_Name":"D:\u005CPROGRAM FILES\u005CVMWARE\u005CINFRASTRUCTURE\u005CVIRTUALCENTER SERVER\u005CVPXD.EXE","Threat_Category":"hip.file","Threat_Name":"Virtual Machine Protection:Prevent modification of VMWare Server files and settings","Threat_Handled":"Yes"}}

Я пытаюсь вытащить только "серьезность", но перед ней стоит "total_severity". Как я могу обойти или сделать обходной путь и только вытащить серьезность? Я вроде застрял здесь.