replace() function produce an empty string if the string to be replaced starts with a "+" character.

this search with replace() works:

| makeresults 
| eval message = "This is mark1 replacement mark2", ph2="different" 
| rex field=message "mark1 (?<ph1>[^/s]*) mark2" 
| eval message2 = replace(message, ph1, ph2)
| table message, message2, ph1, ph2

this one will produce an empty message2:

| makeresults 
| eval message = "This is mark1 +replacement mark2", ph2="different" 
| rex field=message "mark1 (?<ph1>[^/s]*) mark2" 
| eval message2 = replace(message, ph1, ph2)
| table message, message2, ph1, ph2