New to Splunk so any help is appreciated.

I am uploading mytest.log and trying to use SEDCMD to unravel a few fields.

Here is what the mytest.log looks like:

Jun 30 11:33:31 dummy.site0001.com CEF:0|A|B|C|cs1Label=foo cs1=test cs2Label=bar cs2=abc field4=123
Jun 30 11:35:31 dummy.site0001.com CEF:0|A|B|C|cs1Label=foo cs1=test2 cs2Label=bar cs2=def field4=123
Jun 30 11:36:31 dummy.site0001.com CEF:0|A|B|C|cs1Label=foo cs1=test2 cs2Label=bar cs2=abc field4=123
Jun 30 11:37:31 dummy.site0001.com CEF:0|A|B|C|cs1Label=foo cs1=test4 cs2Label=bar cs2=def field4=123

I have updated /opt/splunk/etc/system/local/props.conf like this:

[source::.../mytest.log]
SEDCMD-syslog1 = s/(.*)cs1Label=([a-zA-Z0-9]*) cs1=([a-zA-Z0-9]*)(.*)/\1 \2=\3 \4/
SEDCMD-syslog2 = s/(.*)cs2Label=([a-zA-Z0-9]*) cs2=([a-zA-Z0-9]*)(.*)/\1 \2=\3 \4/
SEDCMD-syslog3 = s/(.*)cs3Label=([a-zA-Z0-9]*) cs3=([a-zA-Z0-9]*)(.*)/\1 \2=\3 \4/
SEDCMD-syslog4 = s/(.*)cs4Label=([a-zA-Z0-9]*) cs4=([a-zA-Z0-9]*)(.*)/\1 \2=\3 \4/
SEDCMD-syslog5 = s/(.*)cs5Label=([a-zA-Z0-9]*) cs5=([a-zA-Z0-9]*)(.*)/\1 \2=\3 \4/

The preview looks good:

foo=test bar=abc

After uploading it looks like:

cs1Label=foo cs1=test cs2Label=bar cs2=abc

Any ideas?