I have events with URLs, and the URLs contain parameters with KV values in them. Splunk auto extracts the KV pairs, but I want the transforms to apply a prefixed value to the key names from the pairs in the URL. For some reason my transforms refuse to work.

Here are a few sample events:

05-11-2026T14:08:01-05:00 LogLevel=INFO TraceId=69baf81038352c1e63cae59b98259742 Url=https://api.something.com/rsi/something/replacement/internal/something_internal_services/resources/org/p/ZMC31/01?hierarchy=false&includeInactive=true&test1=test2&test3=test4 DurationMillis=109 hierarchy=maybe includeInactive=false
05-11-2026T14:07:54-05:00 LogLevel=INFO TraceId=69baf80a0a882f20e6c944e61c5109a2 Url=https://api.something.com/rsi/something/replacement/internal/something_internal_services/resources/org/p/3UC31/01?hierarchy=false&includeInactive=true&test1=test2&test3=test4 DurationMillis=106 hierarchy=maybe includeInactive=false

 I would like the extracted results from the URL to look like:

QP_hierarchy=false
QP_includeInactive=true
QP_test1=test2
QP_test3=test4

Here are my props and transforms:

[app_transaction]
LINE_BREAKER = ([\r\n]+
MAX_TIMESTAMP_LOOKAHEAD = 30
SHOULD_LINEMERGE = False
TIME_PREFIX = ^
TRANSFORMS-extract = app_transaction_params
TRUNCATE = 99999

[app_transaction_params]
FORMAT = QP_$1::$2
MV_ADD = false
REGEX = (?:\?|&)(\w+)=([^&\s]+)
REPEAT_MATCH = true
SOURCE_KEY = _raw

The regex seems to work in regex101.com and extracts the groups correctly. The props is line breaking correctly. Any ideas whats wrong with my transforms here?