I have a simple field extraction for postfix:
(?=[^C]*(?:Client host rejected|C.*Client host rejected))^(?:[^\[\n]*\[){3}(?P[^\]]+)
This was working fine and giving me a src_ip, but after the upgrade from 7.1.2 to 7.2.0 it doesn't appear this works:
However, when going to Field extraction my src_ip field is identified:
Not sure where to go next...thank you
I had this same issue. When investigating the cause, I found that I had a field alias relating to the same sourcetype and field. The field alias was not actually doing anything, so I went ahead and deleted it. Once deleted, I was able to see the field extraction in the search. In my case the field alias was "Field"="ProblemField"
I hope this helps.
On your note, just an FYI on a fieldalias incorrect behavior from 7.2.x versions...
https://answers.splunk.com/answers/693737/splunk-720-field-aliases-incorrect-behavior.html
I think your regex string is more complex than necessary. Try something simpler like Client host \[(?<src_ip>[^\]]+)\] blocked
. This untested since I can't paste screenshots into regex101.com for testing.
Agreed. Regex needs to be cleaned up
While I appreciate the fact that the splunk generated regex may need work, in the blue screenshot above the field is shown already extracted; hovering over the ip shows "src_ip". Also, again, this worked just fine in 7.1.2...what changed in 7.2.0? Thanks for the responses.
Perhaps they made a code change to tighten rules on regex? Have you looked at the release notes? Why not just use a cleaner approach to writing regular expressions?
I will test the changed regex...I just don't have access to the box at this moment 😉 But ya I'll test something different like you suggested and report my findings thanks.
Try adding this to test
| rex Client\shost\s\[(?<src_ip>\d+\.\d+\.\d+\.\d+)\]
Aye that rex line worked like a champ in search. That same line in field extraction doesn't work...it's almost like the extractions aren't happening. Guess I need to find a way to see what extractions are taking place.
Your regex string does not match your sample event . Perhaps it was mangled by the forum. Please edit your question to show the full regex string, making sure to indent the line 4 spaces or put it inside backtick chaacters.