I have come across a problem where the fields i have defined in my transforms.conf for a csv file are disappearing from the available fields list (on the left of the search results) after I create a new Field Extraction from the GUI. But only for the APP that I create the field extraction in, if i go back to the search app all of the fields defined in my transforms.conf file are available. I have reproduced this problem a couple times and am quite confused why adding a field extraction could stop these other fields from showing up in the App they are associated with.

In this case I have a list of fields that the CSV file provides, but i want to chop up a couple of the defined fields into smaller pieces. So i did a field extraction from the GUI. The log is from a mail server. I have a field defined for the sending address (orig) and I am trying to extract a client ID from that address (orig_client). here is the regex the field extractor came up with,

(?i)^[^\.]*\.(?P<orig_client>[^@]*)(?=@) 

this regex does work to find the values I am looking for, but after saving it something appears to break and it hides most, but not all, of the other fields that are defined in the transforms.conf file. I had previously added a couple other field extractions prior to this one and they worked, but adding this one caused the issue both times I saw this happen. I looked in the conf files for anything that could be overwriting the fields that should be available but have not been able to find anything out of the ordinary. Please help, this is a very strange issue and does not behave how I would expect it should.

How do you force splunk to display the fields you want when they appear to not exist in the list of available fields?

Thanks, Arlen