Have a read of the section regarding 'named capture groups' here:
http://www.regular-expressions.info/named.html
This should be a good starting point to see how the rex command (not the regex command), can be used to create field / value pairs.
Building on the great answers above, think of it like this.
Find the part of your string which you want to match, then wrap it in brackets.
So if you wanted to find the digit after "status": you could write:
"\"status\":(\d)"
Now if you want to give that a field name (lets call it 'status_value') using rex , you could do:
"\"status\":(?<status_value>\d)"
In Splunk, you should now have a field called 'status_value' containing the digit from your event.
But the http://www.regular-expressions.info site is a great place to read up on regex in general.
... View more