You’ve got the first extraction correct, just do another like it:
| rex field=_raw "message[[:punct:]]+(?<message>[^\"]+)
This will grab everything after "message":"" until it hits another quote mark
from User warren – Stack Overflow https://stackoverflow.com/questions/73136831/splunk-need-help-in-extracting-error-messages-from-logs/73138969#73138969
via IFTTT