If you insist on using a regular expression to parse XML … this is far simpler:
| rex field=_raw "PrivilegeList\"\>(?<privilege>[\w\s]+)"
| eval privilege=split(privilege," ")
But… there are better ways to handle XML
from User warren – Stack Overflow https://stackoverflow.com/questions/74306508/splunk-regex-try-to-have-one-group-with-multiple-values/74308787#74308787
via IFTTT