Absolutely. Below is the current search. It is in the context of ITSI but the principal JSON as payload should be the same.
Thank you.
| rest splunk_server=local /servicesNS/nobody/SA-ITOA/itoa_interface/service fields="_key,entity_rules,title"
| eval strippedValue=spath(value,"{}")
| mvexpand strippedValue
`comment("breaking up JSON body into variables we can use to reusable fields")`
| eval service_id=spath(strippedValue,"_key"), service_title=spath(strippedValue,"title"), entity_rules_field=spath(strippedValue,"entity_rules{}"), newestValue=spath(strippedValue,"kpis{}")
`comment("return all results where the entity rules have not been applied")`
| search NOT entity_rules_field="*"
| eval comment3="adding service ID to act as a lookup key, to the URL"
| eval curl_command="https://localhost:8089/servicesNS/nobody/SA-ITOA/itoa_interface/service/".service_id
| eval comment4="adding partial data flag to the existing url. We want to only update the desired entity_rules today"
| eval curl_command=curl_command."/?is_partial_data=1"
`comment("adding data body flag with JSON body, there is a space to separate the URL from the data flag")`
| eval curl_command=curl_command
| eval dataInput="{\"entity_rules\": [{\"rule_items\": [{\"field_type\": \"info\", \"field\": \"parentserviceinfo\", \"rule_type\": \"matches\", \"value\": \"deletemeparentservice-dc100\"}], \"rule_condition\": \"AND\"}], \"permissions\": {\"read\": true, \"group\": {\"read\": true, \"delete\": true, \"write\": true}, \"user\": \"admin\", \"delete\": true, \"write\": true}, \"object_type\": \"service\", \"sec_grp\": \"default_itsi_security_group\"}"
| map search="| curl method=post uri=$curl_command$ data=$dataInput$ user=admin pass=omitted debug=t"
... View more
