I'm fairly sure it's not an encoding issue since the search would fail and the REST response would indicate that with a FAILED status and details about a malformed search expression. This is not the case - it actually completes to a status of DONE, but the response results field is empty. As per you suggestion, I changed the expression to = with a known value and I get the same empty results field. The only thing that produces results, is removing the where clause.
As for the script, it's a Python script using the Request library which makes use of POST /search/jobs/ to create the search job, and then GET /search/jobs/{search_id}/results to get the results. The GET request has the following request params: {output_mode': 'json', 'f':'summary', 'count':'0'} . For details on this API, see:
https://docs.splunk.com/Documentation/Splunk/7.2.4/RESTREF/RESTsearch#search.2Fjobs.2F.7Bsearch_id.7D.2Fresults
... View more