Here’s a simpler way to do it – and one which will return all the matches in a given event into a multivalue field:
index=ndx sourcetype=srctp
rex field=_raw max_match=0 "\[[^\[=]+\=(?<new_field>[^\]]+)"
Start with skipping the opening bracket, and anything up to an equal sign
Then everything after the equal sign to a closing bracket will be matched
from User warren – Stack Overflow https://stackoverflow.com/questions/69896820/extract-string-in-square-bracket-with-regex/70069947#70069947
via IFTTT