Hello RT-Users, To recap what I wrote about in this thread before was: - An incident report comes in... - If it has at least one IP address in the _RTIR_IP field do EITHER: -- Link to an existing incident by IP address *OR* -- Create a new incident
(The goal is to automatically group Incident Reports by IP address instead of doing it manually.) Ruslan wrote back saying: > It's totally doable with scrips. RTIR itself has a lot of examples > with bits you need. Basicly you need: > > When IR is created with and IP is set or when IP is changed from no > value to a value, link to existing incident or create a new one. First > part is a condition and second part is an action. > > For example lib/RT/Condition/RTIR_ > BlockActivation.pm is quite close. > Checks whether ticket is created with active state or state is changed > to active. > > Action is not that straightforward, but try it and if you have > problems return back to us with detailed questions. > OK lets talk about the Condition first... Is this enough to trigger the condition? my $self = shift; my $txn = $self->TransactionObj; my $type = $txn->Type; return 1 if $type eq 'Create' && ($self->TicketObj->FirstCustomFieldValue('_RTIR_IP')); The other thing is the action... I really don't know where to start on the action. I know its going to be lengthy though because there's some checks has to do itself to decide what the exact course of action will be. Here's what it should do, I think: - foreach IP address in _RTIR_IP -- Look for an Incident that contains that IP address -- When it finds one, LINK to that Incident -- If it does not find one, create a new Incident There will probably need to be a list of exclusions somewhere. For example if someone does a lookup on a domain we host and sends a complaint about it they might sent the domain name, the IP address it resolves to as well as the IP address of our name server. I wouldn't want every report that contained the IP address our name server linked to a common Incident. Also there's a what if here... What if they report two IP addresses that already each have an Incident created for them. Would I merge them all together into one Incident? Any ideas on where to start writing the action and reviewing the condition above would be appreciated. On or off list is fine with me. Thank you! -- Landon Stewart <lstew...@superb.net> SuperbHosting.Net by Superb Internet Corp. Toll Free (US/Canada): 888-354-6128 x 4199 Direct: 206-438-5879 Web hosting and more "Ahead of the Rest": http://www.superbhosting.net