Re: [rt-users] Some RTIR automation?
Hi,
Condition looks good. On a side note I recommend you start developing
using RTIR 2.6 and a dev server, then upgrade when code is ready. We
deleted prefix _RTIR_ from custom fields and you'll have to change
that if you delay upgrade.
Start action from getting IP addresses and storing them into an array
then dumping into RT's logs. Look for usage of CustomFieldValues
method.
On Sat, Dec 18, 2010 at 4:00 AM, Landon Stewart wrote:
> Hello RT-Users,
>
> To recap what I wrote about in this thread before was:
> - An incident report comes in...
> - If it has at least one IP address in the _RTIR_IP field do EITHER:
> -- Link to an existing incident by IP address *OR*
> -- Create a new incident
>
> (The goal is to automatically group Incident Reports by IP address instead
> of doing it manually.)
>
> Ruslan wrote back saying:
>>
>> It's totally doable with scrips. RTIR itself has a lot of examples
>> with bits you need. Basicly you need:
>>
>> When IR is created with and IP is set or when IP is changed from no
>> value to a value, link to existing incident or create a new one. First
>> part is a condition and second part is an action.
>>
>> For example lib/RT/Condition/RTIR_
>> BlockActivation.pm is quite close.
>> Checks whether ticket is created with active state or state is changed
>> to active.
>>
>> Action is not that straightforward, but try it and if you have
>> problems return back to us with detailed questions.
>
> OK lets talk about the Condition first...
>
> Is this enough to trigger the condition?
> my $self = shift;
> my $txn = $self->TransactionObj;
> my $type = $txn->Type;
> return 1 if $type eq 'Create'
> && ($self->TicketObj->FirstCustomFieldValue('_RTIR_IP'));
>
> The other thing is the action... I really don't know where to start on the
> action. I know its going to be lengthy though because there's some checks
> has to do itself to decide what the exact course of action will be.
>
> Here's what it should do, I think:
> - foreach IP address in _RTIR_IP
> -- Look for an Incident that contains that IP address
> -- When it finds one, LINK to that Incident
> -- If it does not find one, create a new Incident
>
> There will probably need to be a list of exclusions somewhere. For example
> if someone does a lookup on a domain we host and sends a complaint about it
> they might sent the domain name, the IP address it resolves to as well as
> the IP address of our name server. I wouldn't want every report that
> contained the IP address our name server linked to a common Incident.
>
> Also there's a what if here... What if they report two IP addresses that
> already each have an Incident created for them. Would I merge them all
> together into one Incident?
>
> Any ideas on where to start writing the action and reviewing the condition
> above would be appreciated. On or off list is fine with me.
>
> Thank you!
>
> --
> Landon Stewart
> SuperbHosting.Net by Superb Internet Corp.
> Toll Free (US/Canada): 888-354-6128 x 4199
> Direct: 206-438-5879
> Web hosting and more "Ahead of the Rest": http://www.superbhosting.net
>
--
Best regards, Ruslan.
Re: [rt-users] Some RTIR automation?
Hello RT-Users,
To recap what I wrote about in this thread before was:
- An incident report comes in...
- If it has at least one IP address in the _RTIR_IP field do EITHER:
-- Link to an existing incident by IP address *OR*
-- Create a new incident
(The goal is to automatically group Incident Reports by IP address instead
of doing it manually.)
Ruslan wrote back saying:
> It's totally doable with scrips. RTIR itself has a lot of examples
> with bits you need. Basicly you need:
>
> When IR is created with and IP is set or when IP is changed from no
> value to a value, link to existing incident or create a new one. First
> part is a condition and second part is an action.
>
> For example lib/RT/Condition/RTIR_
> BlockActivation.pm is quite close.
> Checks whether ticket is created with active state or state is changed
> to active.
>
> Action is not that straightforward, but try it and if you have
> problems return back to us with detailed questions.
>
OK lets talk about the Condition first...
Is this enough to trigger the condition?
my $self = shift;
my $txn = $self->TransactionObj;
my $type = $txn->Type;
return 1 if $type eq 'Create'
&& ($self->TicketObj->FirstCustomFieldValue('_RTIR_IP'));
The other thing is the action... I really don't know where to start on the
action. I know its going to be lengthy though because there's some checks
has to do itself to decide what the exact course of action will be.
Here's what it should do, I think:
- foreach IP address in _RTIR_IP
-- Look for an Incident that contains that IP address
-- When it finds one, LINK to that Incident
-- If it does not find one, create a new Incident
There will probably need to be a list of exclusions somewhere. For example
if someone does a lookup on a domain we host and sends a complaint about it
they might sent the domain name, the IP address it resolves to as well as
the IP address of our name server. I wouldn't want every report that
contained the IP address our name server linked to a common Incident.
Also there's a what if here... What if they report two IP addresses that
already each have an Incident created for them. Would I merge them all
together into one Incident?
Any ideas on where to start writing the action and reviewing the condition
above would be appreciated. On or off list is fine with me.
Thank you!
--
Landon Stewart
SuperbHosting.Net by Superb Internet Corp.
Toll Free (US/Canada): 888-354-6128 x 4199
Direct: 206-438-5879
Web hosting and more "Ahead of the Rest": http://www.superbhosting.net
Re: [rt-users] Some RTIR automation?
Hi, It's totally doable with scrips. RTIR itself has a lot of examples with bits you need. Basicly you need: When IR is created with and IP is set or when IP is changed from no value to a value, link to existing incident or create a new one. First part is a condition and second part is an action. For example lib/RT/Condition/RTIR_BlockActivation.pm is quite close. Checks whether ticket is created with active state or state is changed to active. Action is not that straightforward, but try it and if you have problems return back to us with detailed questions. On Fri, Oct 22, 2010 at 9:19 PM, Landon Stewart wrote: > Many times a day I will login to RT+RTIR and consolidate Incident Reports > into Incidents using the IP address field in RTIR. Is there any way to > automate the consolidation process of Incident Reports into Incidents where > there's an IP address? I would imagine it's possible but I'm not sure what > to try even. > > For those who may not have seen it - RTIR is an addon for RT. It creates > three queues called Incident Reports, Incidents and Investigations. > Incident Reports can be merged or multiple Incident Reports can be linked to > a single Incident. An Incident can be used to create a new ticket called an > Investigation. In our case we use this to consolidate abuse issues reported > by outside parties by linking individual Incident Reports into Incidents and > then opening an investigation with our customer. After our customer replies > to the Investigation and we can then respond to all the Incident Reports > separately and all at once when the Incident is resolved. > > I had thought, maybe using code in a template, to script the creation of an > Incident if no other open Incident exists with the IP address(es) from the > Incident Reports. If an Incident exists with that IP address and it's open > it links the new incident report with that incident. Can a script inside a > template create an Incident? > > Then at regular times I can simply list the incidents and open > investigations where needed and look for incident reports with no IP address > in them (rare). > > Does anyone have any ideas on how to go about this? > > Thanks to anyone who has any ideas on where to start here. > > -- > Landon Stewart > SuperbHosting.Net by Superb Internet Corp. > Toll Free (US/Canada): 888-354-6128 x 4199 > Direct: 206-438-5879 > Web hosting and more "Ahead of the Rest": http://www.superbhosting.net > -- Best regards, Ruslan.
[rt-users] Some RTIR automation?
Many times a day I will login to RT+RTIR and consolidate Incident Reports into Incidents using the IP address field in RTIR. Is there any way to automate the consolidation process of Incident Reports into Incidents where there's an IP address? I would imagine it's possible but I'm not sure what to try even. For those who may not have seen it - RTIR is an addon for RT. It creates three queues called Incident Reports, Incidents and Investigations. Incident Reports can be merged or multiple Incident Reports can be linked to a single Incident. An Incident can be used to create a new ticket called an Investigation. In our case we use this to consolidate abuse issues reported by outside parties by linking individual Incident Reports into Incidents and then opening an investigation with our customer. After our customer replies to the Investigation and we can then respond to all the Incident Reports separately and all at once when the Incident is resolved. I had thought, maybe using code in a template, to script the creation of an Incident if no other *open* Incident exists with the IP address(es) from the Incident Reports. If an Incident exists with that IP address and it's *open * it links the new incident report with that incident. Can a script inside a template create an Incident? Then at regular times I can simply list the incidents and open investigations where needed and look for incident reports with no IP address in them (rare). Does anyone have any ideas on how to go about this? Thanks to anyone who has any ideas on where to start here. -- Landon Stewart SuperbHosting.Net by Superb Internet Corp. Toll Free (US/Canada): 888-354-6128 x 4199 Direct: 206-438-5879 Web hosting and more "Ahead of the Rest": http://www.superbhosting.net
