have a look at this: your syntax is incorrect. by default, it looks from _raw. ya, there are two ways to do this:
https://answers.splunk.com/answers/47982/extracting-field-from-a-field-other-than-raw-in-props-conf.html
This can be done by using the SOURCE_KEY option in the transforms.conf. So,
in props.conf
[mysourcetype]
REPORT-file_name = file_name
Then in transforms.conf:
[file_name]
SOURCE_KEY = File_Name
REGEX = (?<Proto>[^_]+)_(?<Device_IP>[^_]+)_(?<Seq_ID>\d+\-\d+)-\d+-(?<Message_Type>\w+\.\w+)
Also, if you want to do just by using props.conf then read this:
EXTRACT-<class> = [<regex>|<regex> in <src_field>]
* Used to create extracted fields (search-time field extractions) that do
not reference transforms.conf stanzas.
* Performs a regex-based field extraction from the value of the source
field.
* <class> is a unique literal string that identifies the namespace of the
field you're extracting.
NOTE: <class> values do not have to follow field name syntax
restrictions. You can use characters other than a-z, A-Z, and 0-9, and
spaces are allowed. <class> values are not subject to key cleaning.
* The <regex> is required to have named capturing groups. When the <regex>
matches, the named capturing groups and their values are added to the
event.
* dotall (?s) and multi-line (?m) modifiers are added in front of the regex.
So internally, the regex becomes (?ms)<regex>.
* Use '<regex> in <src_field>' to match the regex against the values of a
specific field. Otherwise it just matches against _raw (all raw event
data).
* NOTE: <src_field> has the following restrictions:
* It can only contain alphanumeric characters and underscore
(a-z, A-Z, 0-9, and _).
* It must already exist as a field that has either been extracted at
index time or has been derived from an EXTRACT-<class> configuration
whose <class> ASCII value is *higher* than the configuration in which
you are attempting to extract the field. For example, if you
have an EXTRACT-ZZZ configuration that extracts <src_field>, then
you can only use 'in <src_field>' in an EXTRACT configuration with
a <class> of 'aaa' or lower, as 'aaa' is lower in ASCII value
than 'ZZZ'.
* It cannot be a field that has been derived from a transform field
extraction (REPORT-<class>), an automatic key-value field extraction
(in which you configure the KV_MODE setting to be something other
than 'none'), a field alias, a calculated field, or a lookup,
as these operations occur after inline field extractions (EXTRACT-
<class>) in the search-time operations sequence.
... View more