Since you wanted to work it like awk and looking at your new data:

1. Your word when separated by spaces comes at awk '{print $6}', so use the field index6 after applying the rex as below to get that: your base query | rex "^(?<index1>[\S]+)\s(?<index2>[\S]+)\s(?<index3>[\S]+)\s(?<index4>[\S]+)\s(?<index5>[\S]+)\s(?<index6>[\S]+)\s(?<index7>[\S]+)\s(?<index8>[\S]+)\s(?<index9>[\S]+)\s(?<index10>[\S]+)\s(?<index11>[\S]+)\s(?<index12>[\S]+)\s(?<index13>[\S]+)" |stats count by index6 See here

OR

1. Your word when separated by ":" comes as the first word of awk -F":" '{print $4}' which needs another pipe of awk '{print $1}'since "Start" is the first word of 4th index, hence find that piece as index4 below after applying rex: ...| rex "^(?<index1>[^\:]+)\:(?<index2>[^\:]+)\:(?<index3>[^\:]+)\:\s(?<index4>[\S]+)\s(?<index5>[^\:]+)\:(?<index6>[^\:]+)\:(?<index7>[^\:]+)\:(?<index8>[^\:]+)\:\s*(?<index9>[^\s]+)" | stats count by index4 See here.