I'm trying to load a large-ish collection of file upload reports into Splunk. Our application generates a report file which contain lines looking something like this:

"folder1/folder2/aa1da494-7879-476d-8f49-699fadfb3390/rep_156883_6d4f1dba35a867f381cbb7a5fa1928c1_M30_700.tar" 152504823B 0B completed"

There will be anywhere from one to hundreds of these lines in the file, each one referencing a different file name. What I'm trying to do is capture these lines using a field extraction. My problem is that only the first line is actually being captured. If I try searching for the second or onward lines using the extraction I defined, nothing is found.

The regex being used for the fields is pretty simple:

(?im)(?<=^")(?P(FIELDNAME).+?)(?=")

(The parenthesis in fieldname should be angle brackets, limitation of the field here)

Props.conf for the file:

#etc/system/local/props.conf
[TransferManifest]
BREAK_ONLY_BEFORE = ## Transfer manifestation
MUST_BREAK_AFTER = Total transferred bytes: \d*
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = true
TIME_PREFIX = ## Start:
pulldown_type = 1
TRUNCATE=900000
MAX_EVENTS=90000

(The absurd values for truncate and max_events reflect the occasional large size of these files, mostly composed of lines like the one mentioned above)

The inputs.conf for these files:

#etc/apps/search/local/inputs.conf
[monitor:///mnt/apps/upload_reports]
disabled = false
followTail = 0
source = UploadReports
host = uploadserver01.company.com
index = upload_reports
sourcetype = TransferManifest
whitelist = *.txt

I've defined MV_ADD and REPEAT_MATCH as True in my system/local/transforms.conf.

Any idea what I'm missing here?