I am trying to parse the squid.conf file into a table.  I can't actually post the conf file due to security reason.

sourcetype="conf_no_timestamp"
| rex "( P<rule_name>^http_access|acl|cache|always_direct|persistent_request_timeout|request_timeout|follow_x_forwarded_for)\s(?P<action>[\w]+)\s(?<server_group_name>.*)$"
| eval action=split(action," ")
| eval server_group_name=split(server_group_name, " ")
| where action like "allow"
| table rule_name, server_group_name, action
| append
    [ search  sourcetype="conf_no_timestamp"
    | rex "(?P<rule_name>^http_access|acl|cache|always_direct|persistent_request_timeout|request_timeout|follow_x_forwarded_for)\s(?P<server_group_name>[\w]+)\s(?<dest>.*)$"
    | eval server_group_name=split(server_group_name," ")
    | eval dest=replace(dest, "dstdomain|src|any-of|dst|# ", ""), dest=replace(mvjoin(dest, " "), "/32", "|"), dest=split(dest, "|"), dest=split(dest, " ")
    | where rule_name like "acl"
    | table rule_name, dest, server_group_name]
| fillnull value="allow" action
| stats values(rule_name) as rule_name values(dest) as dest values(action) as action count by server_group_name