Hello

I download cisco asa add-on from splunk base and in default folder/transforms.conf some regexes cannot be used in Splunk UI using regex/rex command as there is comming error for missing closing parenthesis but I dont understand as the regex is supposed to be correct as no customizations are made.

Its multiple regexes with same error so it seems that there is some difference between regex interpretator in splunk from transforms.conf and this in UI.

Can someone confirm this or explain why this happens?

exmaple regex :
[cisco_asa_message_id_302014_302016]
REGEX = -30201[46]:\s*(\S+)\s+(\S+)\s+connection\s+(\d+)\s+for\s+([^:\s]+)\s*:\s*(?:((?:[\d+.]+|[a-fA-F0-9]*:[a-fA-F0-9]*:[a-fA-F0-9:]*))|(\S+))\s*\/\s*(\d{1,5})(?:\s*\(\s*(?:([\S^\\]+)\\)?([\w\-_]+)\s*\))?\s+to\s+([^:\s]+)\s*:\s*(?:((?:[\d+.]+|[a-fA-F0-9]*:[a-fA-F0-9]*:[a-fA-F0-9:]*))|(\S+))\s*\/\s*(\d{1,5})(?:\s*\(\s*(?:([\S^\\]+)\\)?([\w\-_]+)\s*\))?\s+[Dd]uration:?\s*(?:(\d+)[dD])?\s*(\d+)[Hh]?\s*:\s*(\d+)[Mm]?\s*:\s*(\d+)[Ss]?\s+bytes\s+(\d+)\s*(?:(.+?(?=\s+from))\s+from\s+(\S+)|([^\(]+))?\s*(?:\(\s*([^\)\s]+)\s*\))?

 Error in 'rex' command: Encountered the following error while compiling the regex '\s*(\S+)\s+(\S+)\s+connection\s+(\d+)\s+for\s+([^:\s]+)\s*:\s*(?:((?:[\d+.]+|[a-fA-F0-9]*:[a-fA-F0-9]*:[a-fA-F0-9:]*))|(\S+))\s*\/\s*(\d{1,5})(?:\s*\(\s*(?:([\S^\]+)\)?([\w\-_]+)\s*\))?\s+to\s+([^:\s]+)\s*:\s*(?:((?:[\d+.]+|[a-fA-F0-9]*:[a-fA-F0-9]*:[a-fA-F0-9:]*))|(\S+))\s*\/\s*(\d{1,5})(?:\s*\(\s*(?:([\S^\]+)\)?([\w\-_]+)\s*\))?\s+[Dd]uration:?\s*(?:(\d+)[dD])?\s*(\d+)[Hh]?\s*:\s*(\d+)[Mm]?\s*:\s*(\d+)[Ss]?\s+bytes\s+(\d+)\s*(?:(.+?(?=\s+from))\s+from\s+(\S+)|([^\(]+))?\s*(?:\(\s*([^\)\s]+)\s*\))?': Regex: missing closing parenthesis.

BTW: the regex is working fine in regex101.com