sorry - not working

| rex field=_raw "\"ContactId\":\"(?<ContactId>[a-zA-Z0-9-]*)\"" | table ContactId

that is exactly what i am doing and it does not work..

does not work means when i do | table ContactId and it shows empty table (I know i have the data)

You said you tried this and it didn't work?? You're regex is broken and doesn't capture the values whereas the solution I posted does..

| rex "\"ContactId\":\"(?[0-9]*)\""

You're trying to extract the numbers? What doesn't work? Is it partially working? You need to add more context if you want any shot at getting this working

rex "\"ContactId\":\"(?<ContactId>[a-zA-Z0-9-]*)\""

This looks mostly fine. I'd put the last - in the square brackets at the front of the list, though:

... | rex "\"ContactId\":\"(?<ContactId>[-a-zA-Z0-9]*)\""

Otherwise it seems fine. Do you also need to specify the field in this case? Sometimes that is needed to get it to work properly. There is just barely enough information about your problem to go on. This is a run-anywhere search that shows that it should work:

| makeresults 
| eval data="\"ContactId\":\"12345\"" 
| rex field=data "\"ContactId\":\"(?<ContactId>[-a-zA-Z0-9]*)\""

sorry not working

Does the run-anywhere search above work on your Splunk? If it doesn't, then you have something seriously odd going on. If it does, but the single line search above doesn't work, then your data doesn't look the way you have said, because each of the options that you have been given by the various contributors here should work. Look at your data carefully and figure out why it is not the same as what you have posted here.