Splunk: Referencing field transformations within field transformations

Question

I'm using Splunk to receive my Heroku logs over TCP. Heroku formats these logs like this:

[timestamp] [host] [source] [process] - - [message]

For the nginx process, logs come out like this:

[timestamp] [host] heroku nginx - - [nginx's output]

I'd like to process these logs using Splunk's default access-extractions field transformtion. I had a look at some of the other built in transformations that reference other transformations and tried this as the regex for my new transformation:

(?i) heroku nginx \- \- [[access-extractions]]

However, when I click "Save" I get:

Encountered the following error while trying to save: In handler 'transforms-extract': Regex: range out of order in character class

What's the syntax to reference other field transformations from within a field transformation? Is this the best way to do what I'm trying to do?

Answer 1

Nevermind, I upgraded to v4.3.1 and the regex works now.