I've run into an issue while working with the Splunk Rest API, specifically when trying to leverage extracted fields.
Within the Splunk App my data lives in I have the following regular expression as a field extraction for sendmail QID
This works as expected in the GUI for myself and users of the application.
However, when attempting to leverage the "QID" field in a REST API Call with the following parameters (x-www-form-urlencoded. I'm showing this as a dict as I use python for my calls.), there is no QID field available to me.
I've confirmed that I receive results here, but QID field is not available.
My question here is:
Is there a parameter I am missing to leverage pre-existing field extractions from the Splunk App, or am I going to need to use rex to re-extract (this is what I am doing now, but it's less than ideal).