You can, most likely, greatly simplify your regex
For example:
| rex field=_raw "Id\W+(?<id>\w+)"
Will look for the literal string "Id", followed by as many non-word ("\W+") characters as it finds, then put all of the word characters ("\w+") it sees into the new field id
from User warren – Stack Overflow https://stackoverflow.com/questions/69286252/splunk-why-is-it-not-counting-by-field/69287527#69287527
via IFTTT