I have a simple field extraction for postfix:
(?=[^C]*(?:Client host rejected|C.*Client host rejected))^(?:[^\[\n]*\[){3}(?P[^\]]+)
This was working fine and giving me a src_ip, but after the upgrade from 7.1.2 to 7.2.0 it doesn't appear this works:

However, when going to Field extraction my src_ip field is identified:

Not sure where to go next...thank you
I had this same issue. When investigating the cause, I found that I had a field alias relating to the same sourcetype and field. The field alias was not actually doing anything, so I went ahead and deleted it. Once deleted, I was able to see the field extraction in the search. In my case the field alias was "Field"="ProblemField"
I hope this helps.
On your note, just an FYI on a fieldalias incorrect behavior from 7.2.x versions...
https://answers.splunk.com/answers/693737/splunk-720-field-aliases-incorrect-behavior.html
I think your regex string is more complex than necessary. Try something simpler like Client host \[(?<src_ip>[^\]]+)\] blocked. This untested since I can't paste screenshots into regex101.com for testing.
Agreed. Regex needs to be cleaned up
While I appreciate the fact that the splunk generated regex may need work, in the blue screenshot above the field is shown already extracted; hovering over the ip shows "src_ip". Also, again, this worked just fine in 7.1.2...what changed in 7.2.0? Thanks for the responses.
Perhaps they made a code change to tighten rules on regex? Have you looked at the release notes? Why not just use a cleaner approach to writing regular expressions?
I will test the changed regex...I just don't have access to the box at this moment
But ya I'll test something different like you suggested and report my findings thanks.
Try adding this to test
| rex Client\shost\s\[(?<src_ip>\d+\.\d+\.\d+\.\d+)\]
Aye that rex line worked like a champ in search. That same line in field extraction doesn't work...it's almost like the extractions aren't happening. Guess I need to find a way to see what extractions are taking place.
Your regex string does not match your sample event . Perhaps it was mangled by the forum. Please edit your question to show the full regex string, making sure to indent the line 4 spaces or put it inside backtick chaacters.