Before I dive into the issue, I'd like to explain the goal:
I have a search that returns some fields including an SID. From there I am attempting a left join on the SID to include the results by using the |REST endpoint. I've successfully returned results via a curl, but as of yet I have not succeeded using |REST.
I have attempted these tests on both expired and non-expired SIDs.
Below is an example of successfully returning results via curl:
All of this leads me to believe that this is not possible and that the |REST command does not have access to all of the endpoints available via curl. If this is the case, is there a way to do what I'm attempting in another fashion, or do I need to resort to a script? A script is possible, but ideally, I'd like to keep it entirely in SPL.
Edit: We are also considering using |loadjob but the sid argument seems to treat fields as literal strings. specifying savedsearch= has potential, but requires a user:app:search definition, which seems clumsy.
While probably not best practice, you can use the map function in conjunction with loadjob (as you mentioned) for a thing like this. Assuming your base result set is not massive, you can store it in a lookup table (haven't tested with KV store but don't see why not) and re-attach it to the results using lookup. If anyone knows how to make map simply append the results like a join instead of replacing the results, please chime in.