[rt-users] Some RTIR automation?

Landon Stewart lstewart at superb.net
Fri Dec 17 20:00:00 EST 2010

Hello RT-Users,

To recap what I wrote about in this thread before was:
- An incident report comes in...
- If it has at least one IP address in the _RTIR_IP field do EITHER:
-- Link to an existing incident by IP address *OR*
-- Create a new incident

(The goal is to automatically group Incident Reports by IP address instead
of doing it manually.)

Ruslan wrote back saying:

> It's totally doable with scrips. RTIR itself has a lot of examples
> with bits you need. Basicly you need:
> When IR is created with and IP is set or when IP is changed from no
> value to a value, link to existing incident or create a new one. First
> part is a condition and second part is an action.
> For example lib/RT/Condition/RTIR_
> BlockActivation.pm is quite close.
> Checks whether ticket is created with active state or state is changed
> to active.
> Action is not that straightforward, but try it and if you have
> problems return back to us with detailed questions.

OK lets talk about the Condition first...

Is this enough to trigger the condition?
my $self = shift;
my $txn = $self->TransactionObj;
my $type = $txn->Type;
return 1 if $type eq 'Create'
  && ($self->TicketObj->FirstCustomFieldValue('_RTIR_IP'));

The other thing is the action... I really don't know where to start on the
action.  I know its going to be lengthy though because there's some checks
has to do itself to decide what the exact course of action will be.

Here's what it should do, I think:
- foreach IP address in _RTIR_IP
-- Look for an Incident that contains that IP address
-- When it finds one, LINK to that Incident
-- If it does not find one, create a new Incident

There will probably need to be a list of exclusions somewhere.  For example
if someone does a lookup on a domain we host and sends a complaint about it
they might sent the domain name, the IP address it resolves to as well as
the IP address of our name server.  I wouldn't want every report that
contained the IP address our name server linked to a common Incident.

Also there's a what if here...  What if they report two IP addresses that
already each have an Incident created for them.  Would I merge them all
together into one Incident?

Any ideas on where to start writing the action and reviewing the condition
above would be appreciated.  On or off list is fine with me.

Thank you!

Landon Stewart <LStewart at SUPERB.NET>
SuperbHosting.Net by Superb Internet Corp.
Toll Free (US/Canada): 888-354-6128 x 4199
Direct: 206-438-5879
Web hosting and more "Ahead of the Rest": http://www.superbhosting.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20101217/dac6712a/attachment.html>

More information about the rt-users mailing list