I suspect something like the following will work – but you’re better off either getting this data as proper JSON (so Splunk handles it natively), or fixing your props.conf and transforms.conf
| rex field=_raw max_match=0 "id\W+(?<id>\d+)"
| rex field=_raw max_match=0 "updatedAt\W+(?<updated>[^\"]+)"
| rex field=_raw max_match=0 "createdAt\W+(?<created>[^\"]+)"
| rex field=_raw max_match=0 "feature\W+(?<feature>[^\"]+)"
| rex field=_raw max_match=0 "enabled\W+(?<enabled>\w+)"
Those will all be multivalue fields – so you may need to mvzip and then mvexpand them out (reextracting afterwards) like this:
| eval an_event=mvzip(mvzip(mvzip(mvzip(id,updated,";"),created,";"),feature,";"),enabled,";")
| fields - id updated created feature enabled
| mvexpand an_event
| rex field=an_event "(?<id>[^;]+);(?<updated>[^;]+);(?<created>[^;]+);(?<feature>[^;]+);(?<enabled>.+)"
from User warren – Stack Overflow https://stackoverflow.com/questions/75020638/splunk-event-json-to-table/75023521#75023521
via IFTTT