Hey all,

I'm trying to extract fields from openSCAP logs and I'm having difficulties pulling the CCE/DISA fields, which don't occur in all of the entries. For some reason, they keep getting grouped under the "Rule" field (e.g. Rule's value is "partition_for_tmp Ident CCE-26435-8 Ident DISA FSO RHEL-06-000001"). I've tried several regexes, and none of them have successfully gotten me the fields I want despite working on an online regex tester for PCRE. If I could get some feedback on why I can't get Splunk to extract the fields, I'd appreciate it.
transforms.conf:

[fields_for_scap]
REGEX = Title\n\t(.\*)\nRule\n\t(.\*)\n(?:Ident\n\t(.\*)\n(?:Ident\n\t(.\*)\n)?)?Result\n\t(.\*)
FORMAT = Title::$1 Rule::$2 CCE::$3 DISA::$4 Result::$5

Previously attempted regexes:

REGEX = Title\n\t(.\*)\nRule\n\t(.\*)\n(?:Ident\n\t(.\*)\n)?(?:Ident\n\t(.\*)\n)?Result\n\t(.\*)
REGEX = Title\n\t(.\*)\nRule\n\t(.\*)(?:\nIdent\n\t)?(.\*|)(?:\nIdent\n\t)?(.\*|)\nResult\n\t(.\*)

props.conf:

[scap]
SHOULD_LINEMERGE=false
LINE_BREAKER = (\n\n)
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
REPORT-fields_for_scap = fields_for_scap

Example events:

Title
  Ensure Solid State Drives Do Not Contribute To Random-Number Entropy Pool
Rule
  kernel_disable_entropy_contribution_for_solid_state_drives
Result
  pass

Title
  Ensure /tmp Located On Separate Partition
Rule
  partition_for_tmp
Ident
  CCE-26435-8
Ident
  DISA FSO RHEL-06-000001
Result
  pass

Edit:

For anybody in the future reading this wondering how I resolved this, I followed the accepted answer and defined the regex a bit more precisely, e.g. using (\w+) for the Rule field instead of (.*) so that matching issues wouldn't occur. When I broke up the regex, I realized that Splunk was having issues matching the non-capturing group (?:Ident), so there may be a problem with that.