MV_ADD is only valid for search-time extractions, see http://docs.splunk.com/Documentation/Splunk/6.2.1/Admin/transformsconf for reference.

hhmmm

so this solution doesn't work at all, as we are doing this at index time 😞
any other approach, or should i raise to to splunk support team.

-Sumit

Did you restart the indexers and look at data indexed after that?

I see the issue now, concatenated FORMAT values only work for index-time extractions. I have updated my configuration post for that. Note, this will only take effect for data indexed after setting this.

We have made change on indexer, and still not able to see any result. sorry to coming late on this, but I don't have access to make this change and has to work with splunk admin team.

transform
[apifields_totaltime]
CLEAN_KEYS = 1
REGEX = (\w+)=(\d+):(\d+):(\d+):(\d+):(\d+)
FORMAT = $1.totaltime::$2
SOURCE_KEY = _raw
MV_ADD = 1

[apifields_avgtime]
CLEAN_KEYS = 1
REGEX = (\w+)=(\d+):(\d+):(\d+):(\d+):(\d+)
FORMAT = $1_avgtime::$3
SOURCE_KEY = getDataStack
MV_ADD = 1

[apifields_totalno]
CLEAN_KEYS = 1
REGEX = (\w+)=(\d+):(\d+):(\d+):(\d+):(\d+)
FORMAT = $1_totalno::$4
SOURCE_KEY = getDataStack
MV_ADD = 1

[apifields_mintime]
CLEAN_KEYS = 1
REGEX = (\w+)=(\d+):(\d+):(\d+):(\d+):(\d+)
FORMAT = $1_mintime::$5
SOURCE_KEY = getDataStack
MV_ADD = 1

[apifields_maxtime]
CLEAN_KEYS = 1
REGEX = (\w+)=(\d+):(\d+):(\d+):(\d+):(\d+)
FORMAT = $1_maxtime::$6
SOURCE_KEY = getDataStack
MV_ADD = 1

props
[fdpacq]
REPORT-REPORT-getDataAcq = extractserverStack,apifields_totaltime,apifields_avgtime,apifields_totalno,apifields_mintime,apifields_maxtime

No success ..
I have same configuration, I have multiple of this values in and event
I feel somehow, adding to extracted value with string causing issue ..

The underscore might be confusing the $1, try $1.total etc.

I have done above formatting but it is not working as we are expecting. though it is putting value on total,avg,min and max but not with $1. Not sure formatting is concat $1 and string value ??
BTW, my other pattern are working fine where I am assigning the value as $1::$2

I see, you're trying to extract the first part of the field name from the event and infer the second part of the field name from the position within the event? Try this:

props.conf:

[your_sourcetype]
...
TRANSFORMS-apifields = apifields_total,apifields_avg,apifields_count,apifields_min,apifields_max

transforms.conf

[apifields_total]
WRITE_META = true
REGEX = (\w+)=(\d+):(\d+):(\d+):(\d+):(\d+)
FORMAT = $1_total::$2

[apifields_avg]
WRITE_META = true
REGEX = (\w+)=(\d+):(\d+):(\d+):(\d+):(\d+)
FORMAT = $1_avg::$3

[apifields_count]
WRITE_META = true
REGEX = (\w+)=(\d+):(\d+):(\d+):(\d+):(\d+)
FORMAT = $1_count::$4

[apifields_min]
WRITE_META = true
REGEX = (\w+)=(\d+):(\d+):(\d+):(\d+):(\d+)
FORMAT = $1_min::$5

[apifields_max]
WRITE_META = true
REGEX = (\w+)=(\d+):(\d+):(\d+):(\d+):(\d+)
FORMAT = $1_max::$6

This time is it not about key and value, We are doing this, but for any API getting this value using key-pair will take long log message. hence we made little effective and producing this in above manner.
I am doing below parsing

getOAuthToken=(?(getOauth_totalExecTime>\d+):(?(getOauth_avgExecTime>\d+):(?(getOauth_noOfExecutions>\d+):(?(getOauth_minTime>\d+):(?(getOauth_maxTime>\d+)

I want a way to effectively use the api name and associate with new key values like.

getCall_TotalTime
getCall_AvgTime
getCall_AvgTime
getCall_Occurance
getCall_MInTime
getCall_MaxTime