I am having trouble with field extraction. I have a regex which works in a pcre regex tester but when I attempt to use this regex in splunk I get an "unmatched closing parenthesis" error

SPL:

sourcetype=mysourcetype | rex field=_raw max_match=0  "(?<_KEY_1>(?:[A-Z]\w+\s){0,1}+[A-Z]\w+):[^\S\t\n\r](?<_VAL_1>(?:\d+\/\d+\/\d+\s\d+:\d+:\d+\s\w+|(?:\w:)?[\w\(\).\/\\]*(?:[^\S\t\n\r][\w.\/\\\(\)-]+)*))\s"

Event text:

Mar 15 09:47:27  Agent: Desc: normalized    Agent ID: pbw   Agent Ver:  Category:   Source Host:    Event Desc: Custom Rule Applied Event Name: 28693   OS:     Event Severity: 0   Source IP:  Event Subject:  Event Type: 0   User: Domain\user   Workgroup Desc:     Workgroup ID:   Workgroup Location:     TimeCreated: 3/15/2019 2:47:00 PM   AssetId: 38282  AssetName: computername EventMessage: Custom Rule Applied   SystemType: WINDOWS Application:    RuleName: VS2017 - Publisher Rule (new) EventTypeID: 28693  Hash:   FirstOccurence: 3/15/2019 2:47:00 PM    LastOccurence: 3/15/2019 2:47:00 PM EventId1: 112618911 HasRule: TRUE   Vendor:     Arguments: /d /s /c tasklist /fi imagename eq devenv.exe /fi pid eq 16100 /fo table /nh Excluded: FALSE Application1:   RuleType: PUBLISHER RuleName1: VS2017 - Publisher Rule (new)    Justification:  Path: C:\Windows\system32\cmd.exe   UserName: domain\user   UserType: Administrator 

I initially built the regex into a transform for my searchheads. When that didn't work I started trying to test it in SPL to troubleshoot why it works in the online tester but not in Splunk. I'm missing whatever it is that's breaking my regex.