I've worked out a regex to pull out group names from audit logs. It works for one field with no special characters, but in another, more elaborated field, my rex becomes confused.
|rex "\w+ added to (?"EXTRACTION SHOULD BE HERE BUT SPLUNK.com FILTERS THE TAGS"\w+) in the \w+" "Member Bill added to Mail Admin in the Restricted Groups Policy PostOffice"
works fine, but when it becomes more complex I am not sure how to have the rex query ignore all the special characters that may show up
"Member Bill added to Mail Admin in the Restricted Groups Policy (SLASHES)K12\\DC5000Dallas [WEDT] Mail Admin"
This turns up nothing. So basically I want to eliminate the slashes (that don't show up here oddly) and  that get mixed in, just ignore after the group name extraction. Thanks in advance!
Edit, splunk filters out the tags so the rex looks weird but I'm using the correct named extration