diff --git a/config/processors/event_hub_audit_azure.event_hub_interactive_signin.conf b/config/processors/event_hub_audit_azure.event_hub_interactive_signin.conf
index 8a9c7db4..e15162d5 100644
--- a/config/processors/event_hub_audit_azure.event_hub_interactive_signin.conf
+++ b/config/processors/event_hub_audit_azure.event_hub_interactive_signin.conf
@@ -19,7 +19,7 @@ filter {
       skip_on_invalid_json => false
       tag_on_failure => "_jsonparsefailure_split_msg"
     }
-  if [message] =~ '^{"records": \[' {
+  if [message] =~ '^{(\s+)?"records".*?$' {
     split {
       field => "[tmp][records]"
       target => "az"