Are you trying to extract the numbers? If so then you can simply escape the quotes with a backslash
Try the extraction below, the field-name will be ContactId
| rex ContactId\"\:\"(?<ContactId>\d+)
You said you tried this and it didn't work?? You're regex is broken and doesn't capture the values whereas the solution I posted does..
| rex "\"ContactId\":\"(?[0-9]*)\""
You're trying to extract the numbers? What doesn't work? Is it partially working? You need to add more context if you want any shot at getting this working
This looks mostly fine. I'd put the last
- in the square brackets at the front of the list, though:
... | rex "\"ContactId\":\"(?<ContactId>[-a-zA-Z0-9]*)\""
Otherwise it seems fine. Do you also need to specify the field in this case? Sometimes that is needed to get it to work properly. There is just barely enough information about your problem to go on. This is a run-anywhere search that shows that it should work:
| makeresults | eval data="\"ContactId\":\"12345\"" | rex field=data "\"ContactId\":\"(?<ContactId>[-a-zA-Z0-9]*)\""
Does the run-anywhere search above work on your Splunk? If it doesn't, then you have something seriously odd going on. If it does, but the single line search above doesn't work, then your data doesn't look the way you have said, because each of the options that you have been given by the various contributors here should work. Look at your data carefully and figure out why it is not the same as what you have posted here.