I want to extract "TimesAccesed" from the message field.
Message: PublicDomainAPI.SaveAsync: progresses = [{"UserGuid":"0a062514-def3-4ae5-9092-asd12easd","CourseId":"c71f6538-e379-447e-aaf3-asd1dasd","Status":"InProgress","UserScore":1,"TotalTime":"0:23:45","TimesAccessed":null,"CompletionDate":null,"LastTimeAccessed":"2022-07-23T09:59:12.191+00:00","SuccessStatus":"Pass","Bookmark":"en","SuspendData":null,"Progress":null,"RegistrationDate":"2022-07-23T09:59:12.191+00:00","RegistrationNumber":1}], total: 1
I used | rex field=Message "\"TimesAccessed\"\:\"(?<TimesAccessed>[^\"]+)"
But I am not getting tabulated results because my data has NULL. The same works for other fields like
| rex field=Message "\"TotalTime\"\:\"(?<TotalTime>[^\"]+)"
| rex field=Message "\"CourseId\"\:\"(?<CourseId>[^\"]+)"
Checking your regex on regex101 shows that it fails - you're looking to match a literal ", but it's not there for your "null" value
This regular expression is both simpler to read, and pulls what you're looking for (without the extraneous comma):
| rex field=Message "TimesAccessed[[:punct:]]+(?<TimesAccessed>[^\",]+)"
Use the [[:punct:]] character class to match any punctuation between the text you're trying to match