Hi,

I've run into an issue while working with the Splunk Rest API, specifically when trying to leverage extracted fields.

Within the Splunk App my data lives in I have the following regular expression as a field extraction for sendmail QID

^[^\\]\\n]*\\]:\\s+(?P<QID>[^:]+)

This works as expected in the GUI for myself and users of the application.

However, when attempting to leverage the "QID" field in a REST API Call with the following parameters (x-www-form-urlencoded. I'm showing this as a dict as I use python for my calls.), there is no QID field available to me.

x

POST to services/search/jobs

{

"rf" : "QID",

"adhoc_search_level" : "verbose",

"search" : "search index=sec_email sourcetype=<mysourcetype> earliest=@d | fields QID, msgid | search msgid=\"<my_message_id>\""

}

I've confirmed that I receive results here, but QID field is not available.

My question here is:

Is there a parameter I am missing to leverage pre-existing field extractions from the Splunk App, or am I going to need to use rex to re-extract (this is what I am doing now, but it's less than ideal).

Thank you!