I am trying to create a field extraction using the manger to extract the equivalent of: sourcetype=jsonLogs | rex field=message "^'(?<s>[^']*)' request received" which extracts requesttype properly (as s - Markdown is removing anything between <> with more than one character). Manager creates the following (ignoring the naming difference between transactiontype and requesttype): props.conf: [jsonLogs] REPORT-requesttype = requesttype transforms.conf: [requesttype] CLEAN_KEYS = 1 MV_ADD = 0 REGEX = ^'(?<transactiontype>[^']*)' request received SOURCE_KEY = message however the requesttype field is never extracted and does not show up in the available fields dialog with the following search: sourcetype=jsonLogs Including the field in the search does not return any results: sourcetype=jsonLogs requesttype=* The files are in the search app on the search server, and do not exist on the indexer, which looks to be correct from the documentation at http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Whatisdistributedsearch. The field extraction only occurs on a limited number of results (~65 of 22,000) in the initial search. I can't figure out what I am doing wrong here after working on this for several hours. Is there anything I should be looking at? ... View more