If you don’t have the ability to modify your props.conf to extract the field correctly, this rex will pull it (presuming it’s at the end of the event):
index=ndx sourcetype=srctp
| rex field=_raw "HelloSample\=(?<HelloSample>.+)"
If your test is somewhere else in the event, we’ll need to know what kind of delimeters exist to refine the above regex
from User warren – Stack Overflow https://stackoverflow.com/questions/54567818/extract-values-from-a-field/64680573#64680573
via IFTTT