Use case:
Utilize the REST 2.0 API to query each log and write it to a file where I pull it into Splunk and create reports and dashboards.
Changes:
We migrated from RHEL6 something to RHEL8.9 and did a fresh install of RT5 and imported the database.
Now when running the perl script I get this output:
Querying custom fields
Plan on querying 34 tickets
Open our log file
Grabbing data for ticket #146523
Not a HASH reference at /opt/dump_rt_tickets/rt_queue1_incremental_splunk.pl line 99.
I have no idea how to write perl. This was written by someone at BP years ago (and I’ve very grateful for their help!). If anyone can help, I appreciate it. ChatGPT was not helpful 
FYI, Line 99 is
my %cfs = %{$ticketObj->{‘CustomFields’}};
#!/usr/bin/perl
use strict;
use Encode;
use warnings;
use HTTP::Request::Common qw(POST);
use LWP::UserAgent;
use JSON qw/decode_json encode_json/;
=head1
We start by performing a Tickets query using ticket SQL, in this example
we are just searching the queue 'General'. Next we need to grab our
custom field ID's based off of their name so that we know which value
correlates to which custom field.
Then we can loop through our tickets and get the desired values from each ticket.
We then output the data to a file.
=cut
my $ua = LWP::UserAgent->new;
$ua->timeout(15);
# CHANGE THESE FOUR LINES, note keep the '&page=' portion at the end of the query.
my $url = 'https://rt.redacted.com/REST/2.0/';
$ua->default_header( Authorization => 'token redacted' );
# Add a list of Customfields here
my @cf_names = ('Determination', 'Method', 'Analyst Name', 'Feedback');
my $query = "tickets?query=Queue = 'Redacted' AND LastUpdated >= '5 minutes ago'&page=";
#my $query ="tickets?query=LastUpdated > '2024-04-24T15:46:04Z' AND Queue = 'Redacted'&page=";
my %customfields;
print "Querying custom fields\n";
foreach my $cf_name (@cf_names) {
my $content = [{field => 'Name', value => $cf_name}];
my $cf_query_result = decode_json($ua->post( $url . 'customfields', Content => encode_json($content) )->decoded_content);
if ( ref $cf_query_result ne 'HASH' || not $cf_query_result->{'count'} ) {
print "[ERROR] No data was received for custom field: " . $cf_name . ", this could be due to RT rights.\n";
next;
}
# Store our ID and name
$customfields{$cf_name} = $cf_query_result->{'items'}[0]{id};
}
# Caching our queues by ID is more efficient than checking for every ticket
my $queues = decode_json($ua->get($url . 'queues/all' )->decoded_content);
my %queues;
for (@{$queues->{'items'}}) {
my $queueObj = $ua->get( $_->{'_url'} )->decoded_content;
$queueObj = decode_json($queueObj) if $queueObj;
$queues{$queueObj->{'id'}} = $queueObj->{'Name'};
}
# This will most likely need to be changed to avoid timeout, an easy solution would be to split the
# query by 'created' dates so that one days worth of tickets are pulled at a time.
my $tickets_query = decode_json($ua->get($url . $query )->decoded_content);
print "Plan on querying " . $tickets_query->{'total'} . " tickets \n";
print "Open our log file\n";
my $filename = '/opt/dump_rt_tickets/redacted_incremental_dump.txt';
open(my $fh, '>', $filename) or die "Could not open file '$filename' $!";
my $count = 1;
my $page = decode_json($ua->get($url . $query . $count )->decoded_content);
my $final_output;
while ( $page->{'count'} ) {
my $data_for_file;
foreach my $ticket (sort {$a->{'id'} <=> $b->{'id'}} @{$page->{items}}) {
my $ret;
my $ticketObj = $ua->get($url . "ticket/" . $ticket->{'id'} )->decoded_content;
$ticketObj = decode_json($ticketObj) if $ticketObj;
if ( ref $ticketObj ne 'HASH' ) {
print "[ERROR] No data was received for ticket: " . $ticket->{'id'} . "\n";
next;
}
print "Grabbing data for ticket #" . $ticket->{'id'} . "\n";
for (qw/id Subject Status Queue Owner Requestor Creator Created Resolved LastUpdated/) {
if ( $_ eq 'Queue' ) {
$ret .= "\"$_\":\"".$queues{$ticketObj->{$_}->{'id'}}."\"\n";
} elsif ( ref $ticketObj->{$_} eq 'ARRAY' ) {
$ret .= "\"$_\":".join(", ", map {'"'.($_->{'id'}||'-').'"'} @{$ticketObj->{$_}})."\n";
} elsif ( ref $ticketObj->{$_} eq 'HASH' ) {
$ret .= "\"$_\":\"".($ticketObj->{$_}->{'id'}||'-')."\"\n";
}else {
$ret .= "\"$_\":\"".($ticketObj->{$_}||'-')."\"\n";
}
}
my %cfs = %{$ticketObj->{'CustomFields'}};
foreach my $cf (@cf_names) {
my @cf_values = @{$cfs{$customfields{$cf}}} ? map{"\"$_\""} @{$cfs{$customfields{$cf}}} : ('"-"');
$ret .= "\"$cf\":".join(", ", @cf_values)."\n";
}
$final_output .= $ret;
}
$count++;
$page = decode_json($ua->get($url . $query . $count )->decoded_content)
}
print $fh encode('UTF-8', "$final_output");
close $fh;```
