I can't for the life of me get one of the search app field extractions to also pick up the same regex (field extraction) on another sourcetype - I've made sure all the permissions are set to global for the extraction, and restarted splunk.
Can anyone offer any help?
Field extractions are relative to sourcetype. You can duplicate the extraction to the new sourcetype and it will work
There doesn't appear to be an easy way at least within splunk web to clone extractions?
Go to Settings>Fields
and find your field. Copy the regular expression, then create new. You should then paste this regex and tie it to your new sourcetype
Did this work for you?