I've tried quite a number of extractions but nothing works.  I'm basically grabbing at straws at this point.

You didn't answer the question.  🙂

Please tell us more about what you tried and how those trials worked.  "A number" isn't something we can work with.

Are you extracting the field at search time or at index time?  What commands/settings are you using?

Ok.   

The events are JSON.  I have 74 results to my search that I am trying to extract values from.  The value I am trying to extract is from a blob sort of field that splunk is not extracting/identifying as a field.  Here is what I have tried and when I finish with "|table message" I get zero results.  This is done at search time.

1. ""(<?m>.+)"" 

2.  \"\w+\W+(?<message>[\s\w]+)\"

3.  field=_raw "\"\w+\W+(?<message>[\s\w]+)\""

4.  |rex field=message "\"(?<message>[\s\w]+)\""

5. |rex field=_raw "\"message\":\"(?<msg>.*?)\""

6. | rex “message\”:\”(?<message>[\”]+)”

OK. I might be overreaching here but I have a hunch that you have a JSON structure and within this JSON structure (which Splunk might already be parsing properly) you have a string field containing another json. Something like

{ "field": "{\"embedded\":\"json\"}"}

That would extract and present in the search results list value of the field field as

{"embedded":"json"}

Whereas in raw data that would still be

{\"embedded\":\"json\"}

As you have JSON here, you should remember that there are couple of parameters which define how it is handled and extracted. When you are hopping that we help you you must tell all details to us in 1st phase, otherwise we can do just a guess what your question is!

So as already asked, tell as much as you can about your situation e.g. with masked/scrambled data, and the we quite possibly could help you!

in this case we must know e.g. how long your event is to understand can splunk automatically manage it as json or should we expect that it has managed as encapsulated string and even cut one!

Given your example, only 5 and 6 stand a chance of working, and 6 only works if the double-quotes are corrected to ASCII double-quotes not the extended character set versions.

| makeresults
| eval _raw="\"message\":\"Transfer end logged\""
|rex field=_raw "\"message\":\"(?<msg>.*?)\""
| rex "message\":\"(?<message>[^\"]+)"

In future, it would be more useful to use code blocks (as I have done here) so that formatting is preserved.

As you have said, this is JSON and you might be better off pursuing this angle. If you could explain what it about what you have done with JSON and the results you got, we might be able to help you retrieve the data you want using the built-in JSON functionality.

I think you are right about JSON.  I will chase that down.

Thank you for taking the time to respond.  Much appreciated!