If you’d like a full regex for extracting all of the bracketed fields, this is the most efficient one-shot I could make:
| rex field=_raw "(?<extid>[\d\.]+).+D\[(?<fieldtype>[^\]]+).+T\[(?<format>[^\]]+).+L\[(?<ll>[^\]]+).+N\[(?<len>[^\]]+).+E\[(?<type>[^\]]+).+S\[(?<charset>[^\[]+).+A\[(?<data>[^\]]+)"
Most often I do sequential rex calls, just in case some fields aren’t present in all events, but your sample data shows each of these items present
Once you’ve extracted every field in the data, you can stats or search it any way you may like (I see some of your "FLD" (which I’ve named "fieldtype") values can have spaces or punctuation, so I’m using the wildcard search feature to match anything that looks like "Response Code"):
index=ndx sourcetype=srctp
| rex field=_raw "(?<extid>[\d\.]+).+D\[(?<fieldtype>[^\]]+).+T\[(?<format>[^\]]+).+L\[(?<ll>[^\]]+).+N\[(?<len>[^\]]+).+E\[(?<type>[^\]]+).+S\[(?<charset>[^\[]+).+A\[(?<data>[^\]]+)"
| search fieldtype="Response*"
| stats count by extid data fieldtype
| fields - count
| where tonumber(data)>5
tonumber is quite flexible; I’m using it here in its simplest form
from User warren – Stack Overflow https://stackoverflow.com/questions/71194954/splunk-search-query/73127433#73127433
via IFTTT