CEF events Issue - cefKeys and cefCustom

All Apps and Add-ons

In the event:
cs3Label=HostName_Ext cs3=xx.xx.x.xx cs5Label=Deep src cs5=0 cs10Label=Deep_zone cs10=0 cn2Label=Score cn2=71
cn4Label=Deep_threat_type cn4=5 dmac=00:xx:xx:xx:xx
==============
props.conf

[cefevents]
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
pulldown_type = 1
REPORT-cefevents = cefHeaders,cefKeys,cefCustom

tranforms.conf

[cefHeaders]
REGEX = CEF:\s?(?<cef_cefVersion>\d+)\|(?<cef_vendor>[^|]*)\|(?<cef_product>[^|]*)\|(?<cef_version>[^|]*)\|(?<cef_signature>[^|]*)\|(?<cef_name>[^|]*)\|(?<cef_severity>[^|]*)

[cefKeys]
REGEX = (?:_+)?(?<_KEY_1>[\w.:\[\]]+)=(?<_VAL_1>.*?(?=(?:\s[\w.:\[\]]+=|$)))
REPEAT_MATCH = True
CLEAN_KEYS = 1

[cefCustom]
REGEX = (\S+)=([^=]*)\s+(?:\1Label)=([^=]+)(?:(?:\s\w+=)|$)
FORMAT = $3::$2
KEEP_EMPTY_VALS = True

==================
cefHeaders are extracting as expected. but cefKeys and cefCustom is not able to extract the key value pairs.
please advise

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...