1) I'd expect the 7 digits after the : are part of the information to be captured, so I'd break on the blank (or end-of-field) after that. Basically, I'd pull everything until either a space or the end of the field.

2) I'm not sure where you're designating the name of the fields being extracted by the rex. The syntax I'd expect would look like this (surround bolded terms with angle brackets as appropriate) -

| rex field=req_event_id "^(?req_event_id1[^ $]+) (?req_event_id2[^ $]+)\b"
| fillnull req_event_id_1 value="log_missing"
| fillnull req_event_id_2 value="unspecified"

3) I also doubt that would work if there was only one value; since the second part of the regular expression wouldn't be matched, the first wouldn't get a value. So, you'd need to use max_match=2 and set up the regular expression to match each req_event_id, like so (surround bolded terms with angle brackets as appropriate) -

| rex field=req_event_id max_match=2 "(?RIDs[^ $]+)"
| eval req_event_id_1 = coalesce(mvindex(RIDs,0),"log_missing" )
| eval req_event_id_2 = coalesce(mvindex(RIDs,1),"unspecified")

I see what's happening - apparently the greater-and-lesser-signs are being stripped out of the comments, so the field name in the regex is disappearing.

After each (? spot in my comment should be the extract field name, wrapped by greater/lesser signs. in the first example, the field names are req_event_id1 and req_event_id2, in the second example, the field name is RIDs.