Linking Old Incident Reports with Incident

Hello Community,

I am trying to link old Incident Reports that exists in “IDS ALerts” queue with Incident. I am stuck. It will be great if some one helps here.

This is a scrip attached to Incident queue. Condition: On create

Logic:

1. User manually creates an Incident out of an Incident Report by selecting “src.ip+src.host” option from the dropdown that exists in front of the cutom field ‘Incident Condition’.

2. scrip concatenates source IP and destination IP and 'Incident Condition’field will be overwritten, “src.ip+src.host-” . SIP . “-” . DIP"

3. SQL will be queried to pull all the Incident reports(IR) matching this source IP and soucre host name

4. Matched IR wil be linked to this Incident

     my $queue = 'Incidents';
     my $cf_name = 'Incident Condition';
     my $cf_name_sip = 'Source IP';
     my $cf_name_shost = 'Source HostName';
     my $inc_condn = $self->TicketObj->CustomFieldValuesAsString('Incident Condition');
     my $src_queue = 'IDS Alerts';
     my $src_cf_name = 'Source IP';
     my $time_frame = '9 hours ago'; 
     RT::LoadConfig();
     RT::Init();
     my $tx = RT::Tickets->new($RT::SystemUser);
     my $cf = RT::CustomField->new($RT::SystemUser);
     my $q  = RT::Queue->new($RT::SystemUser);
     $q->Load($queue);
     $cf->LoadByNameAndQueue(Queue => $q->Id, Name => $cf_name);
   
     unless( $cf->id ) 
     {
          die "Could not load custom field";
     }
     
     if ($inc_condn eq 'src.ip+src.host')
     {
         my $cf_value_sip = $self->TicketObj->CustomFieldValuesAsString($cf_name_sip);
         my $cf_value_shost = $self->TicketObj->CustomFieldValuesAsString($cf_name_shost);
         my $concat = "src.ip+src.host-" . $cf_value_sip . "-" . $cf_value_shost;
         my $new_cf_value = $self->TicketObj->AddCustomFieldValue(Field => $cf->Id, Value => $concat);
     my ($status, $msg) = $tx->FromSQL(qq[queue="$src_queue" and Status="new" and Created > "$time_frame" and "CF.{$cf_name_sip}" = '$cf_value_sip' and "CF.{$cf_name_shost}" = '$cf_value_shost']);
     $RT::Logger->error("Couldn't link: $msg");
     my $i=0;
     while (my $st = $tx->Next)
     {   
        print "Processing Incident Report#: status - new" . ++$i . "\n";
        print "Incident found!" . "\n"; 
        unless($src_cf->id)
        {
        # queue 0 is special case and is a synonym for global queue
        $src_cf->LoadByNameAndQueue( Name => $cf_name, Queue => '0' );
        print "No field $src_cf_name in queue ". $q->Name;
        die "Could not load custom field";
        }
   
        $st->SetStatus('open');
        my ($status, $msg) = $st->AddLink( Type => 'MemberOf', Target => tx->Id );
   
        print "Link completed!"  . "\n";
    }
   

   }

Hello community,

Please ignore this thread. I found the way to achieve the objective. Will update the code soon as it might help some one