The syntax is:

rex field=splunk data field "(?regex)”

For example:
If your splunk _raw field contained the line “The sky is blue” and you wanted to
get the word blue and assign it to a variable of COLOUR, you would do the following:

sourcetype="your_source_type" source="/etc/foo/bar" | rex field=_raw "The sky is\s+(?\w+)\.*"

i.e “The sky is” followed by one of more spaces, followed by one or more word characters (which are assigned to the variable COLOUR) followed by 0 or more of any characters. i.e, standard regex but instead of putting the assignment braces around only the (\w+) you also insert ? to the left of it, so you end up with (?\w+)

Now you have a variable called COLOUR you can pipe it to a table

sourcetype="your_source_type" source="/etc/foo/bar" | rex field=_raw "The sky is\s+(?\w+)\.*" | table COLOUR

Here’s a real world example, to pull out the http method, response code and uri from apache’s access logs and render them in a table:

sourcetype="myproject:ihs" source="/usr/websphere*/ihs*" | rex field=_raw "(?<METHOD>POST|GET|PUT)\s+(?<URI>.*\s+)\.*HTTP/1.1\"##(?<CODE>\d+)" | table host, CODE, METHOD, URI