There are several different implementations of Regular Expression engines, all commonly called
RegEx. Make sure that whatever you are reading/using is for
Perl Compatible Regular Expressions, which is the flavor that Splunk uses.
Have a look at the docs here http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/AboutSplunkregularexpressions and try the online regex tool called www.regex101.com which works perfect for Splunk regex. Another benefit of regex101.com is that it provides detailed explanation who and why it does match or does not match 😉
Hope this helps ...
The regex101.com site that @MuS mentioned has checkboxes on the left to select what "flavor" of regular expression to use. As @woodcock pointed out, Splunk uses Perl Compatible Regular Expressions (PCRE). Just make sure the PCRE box is checked on regex101.com and you are good to go.
In Splunk, flags can be added to regular expressions by preceding them with (?flag). So, if you are looking to parse multi-line logs, you can add
(?m) to the beginning. On the regex101.com site, you'll find a flag symbol to the right of the regular expression box. Click on that flag and it has checkboxes for any flag you want to have set for that regular expression.
Besides all the other sources mentioned my MuS and other commenters, there is also a tutorial here:
Also watch Gabriel Vasseur's excellent presentation from last year's .conf:
With the accompanying PDF of the presentation found here:
He does a tutorial on using regular expressions. Very helpful.