Splunk field extractions for pfSense firewall logs (IPv4)

pfsense-props.conf

# The first attempt used CSV, but can't break up the first fields
[pfsense-fw-ipv4-tcp]
INDEXED_EXTRACTIONS = csv
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Network & Security
pulldown_type = 1
FIELD_NAMES = log_metadata,sub_rulenum,anchor,tracker,interface,reason,action,direction,ip_version,ip_tos,ip_ecn,ip_ttl,ip_id,ip_offset,ip_flags,ip_proto_id,ip_proto_text,ip_length,ip_src_addr,ip_dest_addr,ip_src_port,ip_dst_port,ip_data_length,tcp_flags,tcp_seq_num,tcp_ack_num,tcp_window,tcp_urg,tcp_opts

# Improved version (I needed to distinguish from other syslog sources here)
[host::my.firewall.fqdn]
EXTRACT-pfsense-fw-ipv4 = ^(?<evt_time>.{15})\s(?<hostname>[A-Za-z0-9-\.]+)\s(?<log_time>.{15})\sfilterlog:\s(?<rulenum>[0-9]+),(?<sub_rulenum>[0-9]*),(?<anchor>[^,]*),(?<tracker>[0-9]*),(?<interface>[^,]*),(?<reason>[^,]*),(?<action>[^,]*),(?<direction>[^,]*),(?<ip_version>[^,]*),(?<ip_tos>[^,]*),(?<ip_ecn>[^,]*),(?<ip_ttl>[^,]*),(?<ip_id>[^,]*),(?<ip_offset>[^,]*),(?<ip_flags>[^,]*),(?<ip_proto_id>[^,]*),(?<ip_proto_text>[^,]*),(?<ip_length>[^,]*),(?<ip_src_addr>[^,]*),(?<ip_dest_addr>[^,]*),(?<ip_src_port>[^,]*),(?<ip_dst_port>[^,]*),(?<ip_data_length>[^,]*)(,(?<tcp_flags>[^,]*),(?<tcp_seq_num>[^,]*),(?<tcp_ack_num>[^,]*),(?<tcp_window>[^,]*),(?<tcp_urg>[^,]*),(?<tcp_opts>[^,]*))?$