This extraction is for Suricata alerts that do not include an interface description > [(?<gen_id>\d+?):(?<sig_id>\d+?):(?<sigrev_id>\d+?)]\s+(?. ?)(?:\s+[Classification:\s)(?.*?)(?:])(?:\s+[Priority:\s+)(?\d+)(?:]\s+{)(? \w+)(?:}\s+)(?<src_ip>\S+)(?::)(?<src_port>\d+