This extracts the field but the issue is that there are actually 2 other fields that are preceded by the field I want, which also have the same format i.e. [2015-09-24][465456][N1234SYS04]. Using the rex syntax you provided pulls information from the first one, but I want it from the 3rd parenthesis (i.e. I want the field to only show N1234SYS04, but currently its showing 2015-09-24). How can I specify which parenthesis I want to start the extraction from?

The original example you gave shows {} for the first, {] for the second, and [] for the third. With that data sample @Mus rex would work perfectly.

If in fact you have [] [] [] then you can modify Mus rex this way:

... | rex field=_raw "\[.*?\]\s+\[.*?\]\s+\[(?<ID>[^\]]*)" | stats count by ID

Thank you so much @wrangler2x and @Mus. That worked perfectly.

tested and working with this regex:

/opt/splunk/bin/splunk cmd pcregextest mregex="(\[[^\]]*\]){2}\[(?<ID>[^\]]*)" test_str="[2015-09-24][465456][N1234SYS04]. 
> "

Original Pattern: '(\[[^\]]*\]){2}\[(?<ID>[^\]]*)'
Expanded Pattern: '(\[[^\]]*\]){2}\[(?<ID>[^\]]*)'
Regex compiled successfully. Capture group count = 2. Named capturing groups = 1.
SUCCESS - match against: '[2015-09-24][465456][N1234SYS04]. 
'

#### Capturing group data ##### 
Group |            Name | Value
--------------------------------------
    1 |                 | [465456]
    2 |              ID | N1234SYS04

so use it like this:

your base search here | rex field=_raw "(\[[^\]]*\]){2}\[(?<ID>[^\]]*)" | ...