I am having a hard time figuring out how to removing the string "" (quotation) on the key value field with JSON array. I wanted to make it a standard format for me to use the for loop function but this issue of having a string are hindering me.

Here's the log that I want to parsed:

"loggedOnUsers_s": "[{\\"accountName\\":\\"EJ Mindanao\\",\\"domainName\\":\\"sample.com\\"}]"

I want to eliminated the "" quotation and the "\\" for it to be use for loop funtion

ideal:

"loggedOnUsers_s": [{"accountName":"EJ Mindanao","domainName":"sample.com"}]

I also tried using this gsub function but it doesnt work

mutate {

gsub => ["message", '\\"[', "["]

}

mutate {

gsub => ["message", ']\\"', "]"]

}