So I took your above and modified my search from using:

rex mode=sed "s/\sFound\sinvalid\ssort\ssields/ message="\"Found invalid sort fields\""/g"

to use:
rex mode=sed "s/(Found\sinvalid\ssort\ssields)/message=\"Found invalid sort fields\"/g"

Works now
Thanks!

The parens around the search string capture the matched string. This is why he uses the \1 in the replace string. If your log sample really has sields instead of fields and you not only want to add message= to it, but also change the spelling the \1 can't be used. However, if the log sample really has fields then the \1 should work dandy!

Really?
Cause I used this:
index=java host=src sourcetype=tomcat:src:server earliest=-4h "Found invalid sort sields"| rex mode=sed "s/(Found\sinvalid\ssort\ssields)/message=\"Found invalid sort fields\"/g"

And got the results:
2016-04-08 16:59:48,521 [_498840895039862628422332] priority=ERROR thread=http-nio-10010-exec-6 location=com.xxx.search.suggest.v3.impl message="Found invalid sort fields", invalidFields=eventDateLocal asc

What makes you say it doesn't work?

I did not say it does not work. I said the parentheses are used to capture the matched data, and the \1 returns that in the replace string. If you are going to use a literal replace string -- as you are showing you are doing, you don't need the parentheses or the \1. I am kind of curious why your log entry has that mis-spelling of the word fields as sields.

Sure sure, I understand.
Thanks!

Removing the parens returns the same results as well