https://community.splunk.com/t5/Splunk-Search/FIELDNAME-for-field-extraction-test-disappeared/m-p/94078#M24244 <P>Field names are case-sensitive. So in the following search</P> <PRE><CODE>index=foo sourcetype="syslog" | head 10000 | rex "(?i)(?P&lt;fieldname&gt;[^ ]+)\s+\d+:\d+:\d+:\d+\." | top 50 FIELDNAME </CODE></PRE> <P><CODE>fieldname</CODE> and <CODE>FIELDNAME</CODE> are not the same. I think the IFX uses <CODE>FIELDNAME</CODE></P> <P>So perhaps the following is what you want:</P> <PRE><CODE>index=foo sourcetype="syslog" | head 10000 | rex "(?i)(?P&lt;FIELDNAME&gt;[^ ]+)\s+\d+:\d+:\d+:\d+\." | top 50 FIELDNAME </CODE></PRE> Tue, 10 Jul 2012 03:19:45 GMT lguinn2 2012-07-10T03:19:45Z https://community.splunk.com/t5/Splunk-Search/FIELDNAME-for-field-extraction-test-disappeared/m-p/94077#M24243 <P>I have been trying to make a new field using IFX by making a search and selecting "extract fields" and then inputting the examples that I want, (I want a field for data like src=rcdn-vif41-19 and src=rtp1-vif17-15 and a separate field for data like src=rcdn9-dci04n-ucs02-b and src=alln01-dci04n-ucs01-a) and I tested the regex example it gave and it seemed to work fine, I just had to add the "FIELDNAME" field to the listed to be shown, as it said that I would have to in the Splunk documentation. Then I went back and saved the field as a name other than FIELDNAME and it worked fine. Now I am trying to make the second field of things like src=alln01-dci04n-ucs01-a and when I go to test the regex example it made, I cannot find the FIELDNAME field in the possible fields list. The test search is "index=foo sourcetype="syslog" | head 10000 | rex "(?i)(?P<FIELDNAME>[^ ]+)\s+\d+:\d+:\d+:\d+\." | top 50 FIELDNAME" Could anyone tell me how to get the FIELDNAME field back?</FIELDNAME></P> <P>Side note, I deleted the first field that I created because it actually wasn't what I wanted and tried to recreate it, and the same problem of FIELDNAME not showing up again in the regex test field list happened again.</P> <P>If anyone could help me that would be great!</P> Mon, 09 Jul 2012 22:02:49 GMT https://community.splunk.com/t5/Splunk-Search/FIELDNAME-for-field-extraction-test-disappeared/m-p/94077#M24243 klaurean 2012-07-09T22:02:49Z https://community.splunk.com/t5/Splunk-Search/FIELDNAME-for-field-extraction-test-disappeared/m-p/94078#M24244 <P>Field names are case-sensitive. So in the following search</P> <PRE><CODE>index=foo sourcetype="syslog" | head 10000 | rex "(?i)(?P&lt;fieldname&gt;[^ ]+)\s+\d+:\d+:\d+:\d+\." | top 50 FIELDNAME </CODE></PRE> <P><CODE>fieldname</CODE> and <CODE>FIELDNAME</CODE> are not the same. I think the IFX uses <CODE>FIELDNAME</CODE></P> <P>So perhaps the following is what you want:</P> <PRE><CODE>index=foo sourcetype="syslog" | head 10000 | rex "(?i)(?P&lt;FIELDNAME&gt;[^ ]+)\s+\d+:\d+:\d+:\d+\." | top 50 FIELDNAME </CODE></PRE> Tue, 10 Jul 2012 03:19:45 GMT https://community.splunk.com/t5/Splunk-Search/FIELDNAME-for-field-extraction-test-disappeared/m-p/94078#M24244 lguinn2 2012-07-10T03:19:45Z https://community.splunk.com/t5/Splunk-Search/FIELDNAME-for-field-extraction-test-disappeared/m-p/94079#M24245 <P>I did not see that distinction. I will try to make the two fields again today and let you know how it goes.</P> Tue, 10 Jul 2012 15:23:32 GMT https://community.splunk.com/t5/Splunk-Search/FIELDNAME-for-field-extraction-test-disappeared/m-p/94079#M24245 klaurean 2012-07-10T15:23:32Z https://community.splunk.com/t5/Splunk-Search/FIELDNAME-for-field-extraction-test-disappeared/m-p/94080#M24246 <P>FIELDNAME came back using your suggestion of just replacing the lowercase with the uppercase FIELDNAME. Thanks!</P> Tue, 10 Jul 2012 21:51:07 GMT https://community.splunk.com/t5/Splunk-Search/FIELDNAME-for-field-extraction-test-disappeared/m-p/94080#M24246 klaurean 2012-07-10T21:51:07Z