I have this search query:
index="abc" |search SomeInfo | table _raw
and it returns table with results in one column in this format:
2020-09-10 15:57:24,479 [the_value_i_need] INFO java.class.name:52 - SomeInfo|NAME=NAME1
2020-09-10 16:57:33,479 [the_value_i_need] INFO java.class.name:52 - SomeInfo|NAME=NAME1
2020-09-10 17:58:24,479 [the_value_i_need] INFO java.class.name:52 - SomeInfo|NAME=NAME1
Now, how do I get value "the_value_i_need" in square brackets[] and display it in the table instead of showing everything from _raw?
I'm sure you know the table is showing _raw because you told it to do so. Replace "_raw" in the table command with other field names to display those fields. With any luck, Splunk extracted several fields for you, but the chances are good it did not extract the one you want. You can extract fields yourself using the rex command.
index="abc" "SomeInfo"
| rex "\[(?<fieldIneed>[^\]]+)"
| table fieldIneed