So I have this data

 Aug 22 09:13:46 someservername  <118>1 2018-08-22T09:13:46.743+00:00 ip.address LOGSTASH - - - {"timestamp":1534929226738,"process_id":62,"source":"OpsCodi:0","event_type":"SECURITY_MGMT_REGISTRY","data2":{"srctype":"ops_console"},"user":"U654321","target":"some.server.of.ours","message":"Add User [U123456] ","log_level":"INFO"}

I don't have a way to modify the field extractions or anything so I'm at the mercy of splunk. No admin rights so I've been working on some serious splunk fu with my search.

index=index sourcetype=sourcetype  source="source//*.log" | multikv | mvexpand _raw | search URGP_0="User [*]*" | regex URGP_0=(\[(\w+)\]) |  table URGP_0

So all I want to see is just U123456 and I intend to pipe this into a table in my dashboard once I have the regex working properly.

I am no master with regex but I've plugged it into various checkers online and they all show that it should be working but splunk just continues to show me the full field value which looks like this

User [U123456] ","log_level":"INFO"}

Yes its a terrible field but well prior to me putting in the mvexpand there were no fields detected so now I at least have something to work with.

Also if possible how to extract this user info from it as well

 "user":"U654321"

Thank you for your help with this.