Hi, I've run into an issue while working with the Splunk Rest API, specifically when trying to leverage extracted fields. Within the Splunk App my data lives in I have the following regular expression as a field extraction for sendmail QID ^[^\\]\\n]*\\]:\\s+(?P<QID>[^:]+) This works as expected in the GUI for myself and users of the application. However, when attempting to leverage the "QID" field in a REST API Call with the following parameters (x-www-form-urlencoded. I'm showing this as a dict as I use python for my calls.), there is no QID field available to me. x POST to services/search/jobs
{
"rf" : "QID",
"adhoc_search_level" : "verbose",
"search" : "search index=sec_email sourcetype=<mysourcetype> earliest=@d | fields QID, msgid | search msgid=\"<my_message_id>\""
} I've confirmed that I receive results here, but QID field is not available. My question here is: Is there a parameter I am missing to leverage pre-existing field extractions from the Splunk App, or am I going to need to use rex to re-extract (this is what I am doing now, but it's less than ideal). Thank you!
... View more
