You can change the FORMAT of the old role field to a different name, set the SOURCE_KEY of the new extraction to that and the named capturing group to role. You can't have both as role because then the individual values would get added to the three-roles-string.

As for the regex, the second non-capturing group is for "eating up" the comma and space between the individual values. Might actually not be necessary.

Here is my final configuration as suggested:

[junipersa-role-info]
REGEX = Juniper\:\s[^\s]+\s[^\s]+\s-\sive\s-\s\[\d+.\d+.\d+.\d+\]\s[^\(\)\s]+\([\s\d\w]+\)\[([^\]]+)
FORMAT = roles_string::$1

[junipersa-roles-mv]
SOURCE_KEY = roles_string
MV_ADD = true
REGEX = (?<role>[^\s,]+)

Seems to work fine, though I need some further QA 🙂
Thanks for the great and prompt help!

Okay, so I assume this is in your props.conf:

[your_sourcetype]
...
REPORT-foo = junipersa-role-info

If so, append a second item like so:

REPORT-foo = junipersa-role-info,juniper-mvroles

And add that stanza to transforms.conf:

[juniper-mvroles]
REGEX = (?<rolemv>[^\s,]+)(?:[\s,]*)
SOURCE_KEY = role
MV_ADD = true

That'll extract the multivalues from the previous extracted field, no fields.conf entry necessary.

It works! (although I don't fully understand the REGEX syntax - what is the second match group for). And last thing, I prefer to get the result in the role field and not a new field. I will try to do it unless you have a quick solution.

transforms.conf
[junipersa-role-info]
REGEX = Juniper\:\s[^\s]+\s[^\s]+\s-\sive\s-\s\[\d+.\d+.\d+.\d+\]\s[^\(\)\s]+\([\s\d\w]+\)\[([\s\d\w\,]+)\]\s-
FORMAT = role::$1

fields.conf
[role]
TOKENIZER = (\w[^\,]*)

Ah, not in the search... What's the event around the roles / the regex to extract the role field?

Thanks. Tha'ts a good idea. but now how do I implement it in the configuration?