you can use it on row events
or using a rex command
| rex field=INDV "\d+\|\w+\|(?<your_field>[^\|]*)"
You can see it at https://regex101.com/r/Ve484u/1
I would consider using the
mvindex commands for this, assuming INDV is being extracted already:
... | eval my_field=mvindex(split(INDV,"|"),2)
... | rex field=INDV "RSPAR\|(?[^|]+)"
But that really depends on the consistency of the data around your target extraction.