Thanks for immediate response

Name is another field

The "message" field contains below sample data ..it just ends with JSON object.

I need to extract json and create new field

message: 2021-04-09 05:50:04.273+0000 INFO |RestAPI.adminsrvr | Request #5172: {
"context": {
"httpContextKey": 1111111111,
"verbId": 2,
"verb": "GET",
"originalVerb": "GET",
"protocol": "https",
"parameters": {
"uri": {
"version": "v2"
}}}}

| rex "(?ms)message:.+?(?<json>\{.*\})\s*name"

Not getting, just getting empty output

| rex "(?ms)message:.+?(?<json>\{.*\})\s*name" |table json

The below rex giving  "{" as output ( the start of json)..Need to tweak to print  to the end

|table message
| rex field=message "Request \#[0-9]+\: (?<json>.+)" |table json

it perfectly worked. What does (?ms) represents here . Can you explain 

Thank you

m - means multiline

s - means . will match to new line - this is actually the important one in this instance

| rex field=message "(?s)Request \#[0-9]+\: (?<json>.+)"

This should also work for you. 

Thanks

i have my json data where sometimes we are unable to see the status: closed field in some of the events as i want to write a regex to bring this in event  state: { [-]
     alert_id: orca-8452634
     closed_reason: null
     closed_time: null
     created_at: 2023-07-06T11:41:18+00:00
     high_since: null
     in_verification: null
     is_new_score: null
     last_seen: 2024-02-04T11:38:11+00:00
     last_updated: 2024-02-05T13:45:45+00:00
     low_since: 2024-02-05T13:45:45+00:00
     orca_score: 7
     risk_level: high
     rule_source: null
     score: 2
     severity: imminent compromise
     status: closed
     status_time: 2024-02-05T13:45:45+00:00
     verification_status: null

Can anyone help us to close this