Just use stats
to do this – there shouldn’t be a need to rex
-out the end (or, at least, not the way you’re attacking it so far):
index=ndx sourcetype=srctp peer=* securityName=trap*
| stats values(securityName) as securityName by peer
| where mvcount(securityName)>1
from User warren – Stack Overflow https://stackoverflow.com/questions/76133855/splunk-finding-results-of-a-field-that-have-the-same-peer-but-two-or-more-diff/76146566#76146566
via IFTTT