Splunk: how to query nested values

Question

I have a log below and I want to get the value of Description under :- Calling Checklist1003 How do I do that ??

Message type: SBAWF13Info Code: 1001 dec, 3e9 hex
11/21/2019 09:21:53.297 Fault type: Application Severity: Info
11/21/2019 09:21:53.297 Description: This is a resubmission of a case that was underwritten using the
11/21/2019 09:21:53.297 UW_10.30 KB engine 
11/21/2019 09:21:53.297 
11/21/2019 09:21:53.297 UWROUTER service will be used for underwriting
11/21/2019 09:21:53.297 ----------------------------------------------------------------
11/21/2019 09:21:53.297 Message type: SBAWF13Info Code: 1001 dec, 3e9 hex
11/21/2019 09:21:53.297 Fault type: Application Severity: Info
11/21/2019 09:21:53.297 Description: This case will be underwritten using UWROUTER 1.0 
11/21/2019 09:21:53.297 
11/21/2019 09:21:53.297 **Calling Checklist1003**
11/21/2019 09:21:53.345 ----------------------------------------------------------------
11/21/2019 09:21:53.345 Message type: Code: 118310 dec, 1ce26 hex
11/21/2019 09:21:53.345 Fault type: Undefined Severity: Undefined
11/21/2019 09:21:53.345 **Description**: Hired From Date is missing for secondary employment for 
11/21/2019 09:21:53.345 applicant . 
11/21/2019 09:21:53.345 
11/21/2019 09:21:53.358 -----------------------------------------

Answer 1

index=du sourcetype="ab:xyz-log"

| rex field=_raw mode=sed "s/([\n\r\s]+)\d{2}/\d{2}/\d{4} \d{2}:\d{2}:\d{2}.\d{3}/\1/g"

| rex field=_raw max_match=0 "Calling Checklist1003[^-]+[^\n]+\n[^\n]+(?[^-]+)"

| rex field=checklist "Description: (?[^\e]+)"

| rex field=_raw "INST_INFO:\s\d+\|(?.*)\|"

| rex field=_raw "lenderCaseNo\s[(?\d+)]"

| eval BTime = strptime(Begin_time, "%H:%M:%S.%3N")

| eval CTime = strptime(Completion_time, "%H:%M:%S.%3N")

| eval ResTime=CTime-BTime

|table Description lenderInstName lenderCaseNumber Begin_time Completion_time