In your field extraction, try the regex for the conn field:
conn(?:\[[^\]]+\])?=(?<value_to_extract>[0-9]+)
Breaking the regex down:
(?: - Start of non-capturing group
[ - Escaped bracket, it will match the open bracket in the event
[^]]+ - Move ahead until the close bracket is found in the event
] - Match the close bracket in the event
) - End the non-capturing group
? - everything in in the capturing group is optional - will match conn=12345 or conn[ssl/tls]=12345
For the field to be extracted, [0-9]+ will capture every numeric character after the "=", but if you expect any non-numeric characters you'll have to account for that.
... View more