First, you’re grouping by a field that may not exist (did you mean groupId instead of serviceId?)
Second, are you sure your regular expression is correct?
This tested one is simpler:
| rex field=_raw "Id\W+(?<Id>\d+)\D+groupId\W+(?<groupid>\w+)"
from User warren – Stack Overflow https://stackoverflow.com/questions/69288768/splunk-how-to-extract-two-fileds-distinct-count-one-field-by-the-other-field/69290709#69290709
via IFTTT