Unless you have some customised field extraction for EVENT_MESSAGE, Splunk will automatically assign "Number" to EVENT_MESSAGE instead of "Number of Offers ready to send: 6" that @codebased seems to expect. The above should work. (field=_raw is assumed by default so no need to specify.)

Indeed it is not a field!

@codebased - I suspected so.

@yuanliu is correct that field=_raw is default, but on these forums I like to be explicit, in case a reader doesn't understand that the rex is operating on some specific field... like the one that in this case didn't exist...

Thank you @dineshraj9. I was actually using ? but somehow it got removed from my original question. I have copied your snippet as it is but it is not working :(. The offercount is all empty.

Thank you so much for your help. It is resolved. I had to use _raw.

Can you paste the exact value in the EVENT_MESSAGE field? when I tested with the sample provided by you it worked.

| makeresults | eval EVENT_MESSAGE="Number of Offers ready to send: 6" | rex field=EVENT_MESSAGE "\D+(?<offercount>\d+)" | table offercount

You could also try -

<your search> | rex field=EVENT_MESSAGE "\D+(?<offercount>\d+)" | table offercount

This is what I have tried:
APP_PATH="/Apiv0" EVENT_MESSAGE=Number of Offers ready to send | rex field=EVENT_MESSAGE "\D+(?\d+)" | table offercount

My splunk log is:

2017-06-15 03:00:12.8818; LOG_LEVEL=Info; SOURCE=JobRepository; APP_PATH=/Apiv0; VERSION=0.1.0.90; CORRELATION_IDENTIFIER=fe800697-df6a-4ce6-9438-27d106ab0005; SERVER=XXXX; EVENT_MESSAGE=Number of Offers ready to send: 6

The result is:

Events (14)
- ...
Statistics (14)
- Empty List