As @ITWhisperer points out, neither substring or regex is the correct tool to extract information from structured data such as JSON.  I assume that that so-called "string" is not the entire event because otherwise Splunk would have automatically extracted role at search time.  Suppose you have an event like this (I'm quite convinced that you missed a comma between '00"' and '"name'.)

stuff before ...  {"code":"1234","bday":"15-02-06T07:02:01.731+00:00", "name":"Alex", "role":"student","age":"16"} stuff after ...

What you do is to use regex to extract the part that is compliant JSON (not a portion of it), then use spath or fromjson to extract all key-value pairs.

The following should usually work:

| rex "^[^{]*(?<json_message>{.+})"
| spath input=json_message

That sample data will return

Here is an emulation for you to play with and compare with real data

| makeresults
| eval _raw = "stuff before ...  {\"code\":\"1234\",\"bday\":\"15-02-06T07:02:01.731+00:00\", \"name\":\"Alex\", \"role\":\"student\",\"age\":\"16\"} stuff after ..."
``` data emulation above ```

Hi @vvkarur 

You can use the rex field, like this example.

| rex field=_raw "\"role\"\:\"(?<role>[^,\"]+)\""

This looks like JSON so you should ingest it as such. Alternatively, you could use spath to extract the fields. Alternatively, look at the json functions.