From our Cisco ISE we get Posture report events, each event can have multiple PostureReports.

PostureReport=Encase Service Policy\;Passed\;(Encase Service Status:Audit:Failed:Passed_Conditions[]:Failed_Conditions[Encase_Service_Check]:Skipped_Conditions[]),  PostureReport=Disk Encryption -- ActiveX Error\;Passed\;(Disk Encryption Status-ActiveX Error:Audit:Passed:Passed_Conditions[]:Failed_Conditions[Disk_Encryption_ActiveX_Error_x64:Disk_Encryption_ActiveX_Error:Disk_Encryption_ActiveX_Error_x86]:Skipped_Conditions[]),

I've extracted the Status of each posture policy with a transforms.conf entry

[extract_posture_dynamic_ise] 
FORMAT = $1::$2 
MV_ADD = 1 
REGEX = \sPostureReport=([^\\;]+)\\;(\w+)\\;

that part works perfect. However, I now need to extract the status of the actual checks:

;(Encase Service Status:Audit:Failed:Passed_Conditions[]:Failed_Conditions[Encase_Service_Check]:Skipped_Conditions[]),  

Here's what I tried doing in transforms.conf before I noticed the caveat that this won't work at search time:

[extract_posture_checks_ise]
MV_ADD=1
REGEX=\sPostureReport=([^\\;]+)\\;\w+\\;\(([^:]):([^:]):([^:]):Passed_Conditions\[(.*?)\]:Failed_Conditions\[(.*?)\]:Skipped_Conditions\[(.*)\]),
FORMAT=$2_Type::$3 $2_Status::$4  $2_Passed_Conditions::$5  $2_Failed_Conditions::$6  $2_Skipped_Conditions::$7

Can this be done through a different method?