Adding non default fields to API calls to the record endpoint

Does anyone know how to bring back non-default fields in queries to the record endpoint.? In the example below I want to have the origin field included in the fields returned, but the syntax below doesn’t get the job done.

postBody={
“filter”: {
“operator”: “and”,
“rules”: [{
“field”: “uri”,
“operand”: “some/uri”,
“operator”: “=”
},
{
“field”: “serverAddr”,
“operand”: “10.1.2.3”,
“operator”: “=”
}]
},
“limit”: 1000,
“context_ttl”: “5m”,
“from”: dFrom,
“until”: dUntil,
"fields": [‘origin’],
“types”: ["~http"]

I just performed a test and it looks like all record fields are returned with the query (no need to specify which ones you would like).

This is a guess on my part, but it is possible the records you’re querying didn’t have an origin available to the Extrahop and so it was never committed.

I performed two test queries to see what records with and without an origin look like.

has_origin = {
  "filter": {
    "field": "origin",
    "operand": "",
    "operator": "exists",
  },
  "from": "-30m",
  "limit": 100,
  "offset": 0,
  "types": [
    "~http"
  ],
  "until": 0
}

no_origin = {
  "filter": {
    "field": "origin",
    "operand": "",
    "operator": "not_exists",
  },
  "from": "-30m",
  "limit": 100,
  "offset": 0,
  "types": [
    "~http"
  ],
  "until": 0
}

When I tested the origin query the origin field was present in all of the records, when I tested the other query the result didn’t have the origin field at all.

So it appears that rather than return an empty origin field the Extrahop simply doesn’t include that field in the returned record if it isn’t present.

Thank you for the response and indeed, if the field doesn’t have a value it isn’t returned in the response.