Splunk Search

REST API Leverage Existing Field Extractions

kalebh
New Member

Hi,

I've run into an issue while working with the Splunk Rest API, specifically when trying to leverage extracted fields.

Within the Splunk App my data lives in I have the following regular expression as a field extraction for sendmail QID

^[^\\]\\n]*\\]:\\s+(?P<QID>[^:]+)

This works as expected in the GUI for myself and users of the application.

However, when attempting to leverage the "QID" field in a REST API Call with the following parameters (x-www-form-urlencoded. I'm showing this as a dict as I use python for my calls.), there is no QID field available to me.

 

x

POST to services/search/jobs

{

"rf" : "QID",

"adhoc_search_level" : "verbose",

"search" : "search index=sec_email sourcetype=<mysourcetype> earliest=@d | fields QID, msgid | search msgid=\"<my_message_id>\""

}

I've confirmed that I receive results here, but QID field is not available.

My question here is:

Is there a parameter I am missing to leverage pre-existing field extractions from the Splunk App, or am I going to need to use rex to re-extract (this is what I am doing now, but it's less than ideal).

 

Thank you!

Labels (1)
0 Karma
Get Updates on the Splunk Community!

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...