If you pull the extra question marks from your regex, it runs as expected:
| rex field=_raw "(?<jobRunTimeMs1>\d+)ms|(?<jobRunTimeS2>\d+)s(?<jobRunTimeMs2>\d+)ms|(?<jobRunTimeM3>\d+)m(?<jobRunTimeS3>\d+)s(?<jobRunTimeMs3>\d+)ms"
Append a couple coalesces to bring them together, and drop the extraneous fields with fields:
| eval ms=coalesce(ms1,ms2,ms3), s=coalesce(s2,s3), m=m3
| fields - ms1 ms2 ms3 s2 s3 m3
However, I generally prefer to run sequential individual extractions (especially when the format may vary, as yours does) for readability (and not needing to do the coalesce step afterwards):
| rex field=_raw "(?<minutes>\d+)m\d"
| rex field=_raw "m?(?<seconds>\d+)s"
| rex field=_raw "s?(?<milliseconds>\d+)ms"
from User warren – Stack Overflow https://stackoverflow.com/questions/73055345/splunk-regex-matching-for-spring-batch-job-times/73056679#73056679
via IFTTT