I want to make my DATASET field a multivalue field.

The regex extracting the field using Splunkweb's Field Extraction Manager page is:

(umi\.|%3D|,|%3B|\=|/catalog/w+/)(?P{DATASET}[a-z0-9_\-%]+)\.(geometry|\w*geom|\w+\.\w+)

The dataset values in an event are not delimited in an structured way.

An example event with 4 DATASET values:

"select=VALUE1,umi.VALUE2&from=VALUE3%BVALUE4.gemetry"

QUESTIONS:

• How should define my regex tokenizer for the DATASET field?
• Should I define tokenizer in fields.conf or in Splunkweb's Transform Manager page?