Some RTIR automation?

Many times a day I will login to RT+RTIR and consolidate Incident Reports
into Incidents using the IP address field in RTIR. Is there any way to
automate the consolidation process of Incident Reports into Incidents where
there’s an IP address? I would imagine it’s possible but I’m not sure what
to try even.

For those who may not have seen it - RTIR is an addon for RT. It creates
three queues called Incident Reports, Incidents and Investigations.
Incident Reports can be merged or multiple Incident Reports can be linked to
a single Incident. An Incident can be used to create a new ticket called an
Investigation. In our case we use this to consolidate abuse issues reported
by outside parties by linking individual Incident Reports into Incidents and
then opening an investigation with our customer. After our customer replies
to the Investigation and we can then respond to all the Incident Reports
separately and all at once when the Incident is resolved.

I had thought, maybe using code in a template, to script the creation of an
Incident if no other open Incident exists with the IP address(es) from the
Incident Reports. If an Incident exists with that IP address and it’s *open

  • it links the new incident report with that incident. Can a script inside
    a template create an Incident?

Then at regular times I can simply list the incidents and open
investigations where needed and look for incident reports with no IP address
in them (rare).

Does anyone have any ideas on how to go about this?

Thanks to anyone who has any ideas on where to start here.

Landon Stewart LStewart@SUPERB.NET
SuperbHosting.Net by Superb Internet Corp.
Toll Free (US/Canada): 888-354-6128 x 4199
Direct: 206-438-5879
Web hosting and more “Ahead of the Rest”: http://www.superbhosting.net

Hi,

It’s totally doable with scrips. RTIR itself has a lot of examples
with bits you need. Basicly you need:

When IR is created with and IP is set or when IP is changed from no
value to a value, link to existing incident or create a new one. First
part is a condition and second part is an action.

For example lib/RT/Condition/RTIR_BlockActivation.pm is quite close.
Checks whether ticket is created with active state or state is changed
to active.

Action is not that straightforward, but try it and if you have
problems return back to us with detailed questions.On Fri, Oct 22, 2010 at 9:19 PM, Landon Stewart lstewart@superb.net wrote:

Many times a day I will login to RT+RTIR and consolidate Incident Reports
into Incidents using the IP address field in RTIR. Is there any way to
automate the consolidation process of Incident Reports into Incidents where
there’s an IP address? I would imagine it’s possible but I’m not sure what
to try even.

For those who may not have seen it - RTIR is an addon for RT. It creates
three queues called Incident Reports, Incidents and Investigations.
Incident Reports can be merged or multiple Incident Reports can be linked to
a single Incident. An Incident can be used to create a new ticket called an
Investigation. In our case we use this to consolidate abuse issues reported
by outside parties by linking individual Incident Reports into Incidents and
then opening an investigation with our customer. After our customer replies
to the Investigation and we can then respond to all the Incident Reports
separately and all at once when the Incident is resolved.

I had thought, maybe using code in a template, to script the creation of an
Incident if no other open Incident exists with the IP address(es) from the
Incident Reports. If an Incident exists with that IP address and it’s open
it links the new incident report with that incident. Can a script inside a
template create an Incident?

Then at regular times I can simply list the incidents and open
investigations where needed and look for incident reports with no IP address
in them (rare).

Does anyone have any ideas on how to go about this?

Thanks to anyone who has any ideas on where to start here.


Landon Stewart LStewart@SUPERB.NET
SuperbHosting.Net by Superb Internet Corp.
Toll Free (US/Canada): 888-354-6128 x 4199
Direct: 206-438-5879
Web hosting and more “Ahead of the Rest”: http://www.superbhosting.net

Best regards, Ruslan.

Hello RT-Users,

To recap what I wrote about in this thread before was:

  • An incident report comes in…
  • If it has at least one IP address in the _RTIR_IP field do EITHER:
    – Link to an existing incident by IP address OR
    – Create a new incident

(The goal is to automatically group Incident Reports by IP address instead
of doing it manually.)

Ruslan wrote back saying:

It’s totally doable with scrips. RTIR itself has a lot of examples
with bits you need. Basicly you need:

When IR is created with and IP is set or when IP is changed from no
value to a value, link to existing incident or create a new one. First
part is a condition and second part is an action.

For example lib/RT/Condition/RTIR_
BlockActivation.pm is quite close.
Checks whether ticket is created with active state or state is changed
to active.

Action is not that straightforward, but try it and if you have
problems return back to us with detailed questions.

OK lets talk about the Condition first…

Is this enough to trigger the condition?
my $self = shift;
my $txn = $self->TransactionObj;
my $type = $txn->Type;
return 1 if $type eq ‘Create’
&& ($self->TicketObj->FirstCustomFieldValue(‘_RTIR_IP’));

The other thing is the action… I really don’t know where to start on the
action. I know its going to be lengthy though because there’s some checks
has to do itself to decide what the exact course of action will be.

Here’s what it should do, I think:

  • foreach IP address in _RTIR_IP
    – Look for an Incident that contains that IP address
    – When it finds one, LINK to that Incident
    – If it does not find one, create a new Incident

There will probably need to be a list of exclusions somewhere. For example
if someone does a lookup on a domain we host and sends a complaint about it
they might sent the domain name, the IP address it resolves to as well as
the IP address of our name server. I wouldn’t want every report that
contained the IP address our name server linked to a common Incident.

Also there’s a what if here… What if they report two IP addresses that
already each have an Incident created for them. Would I merge them all
together into one Incident?

Any ideas on where to start writing the action and reviewing the condition
above would be appreciated. On or off list is fine with me.

Thank you!

Landon Stewart LStewart@SUPERB.NET
SuperbHosting.Net by Superb Internet Corp.
Toll Free (US/Canada): 888-354-6128 x 4199
Direct: 206-438-5879
Web hosting and more “Ahead of the Rest”: http://www.superbhosting.net

Hi,

Condition looks good. On a side note I recommend you start developing
using RTIR 2.6 and a dev server, then upgrade when code is ready. We
deleted prefix RTIR from custom fields and you’ll have to change
that if you delay upgrade.

Start action from getting IP addresses and storing them into an array
then dumping into RT’s logs. Look for usage of CustomFieldValues
method.On Sat, Dec 18, 2010 at 4:00 AM, Landon Stewart lstewart@superb.net wrote:

Hello RT-Users,

To recap what I wrote about in this thread before was:

  • An incident report comes in…
  • If it has at least one IP address in the _RTIR_IP field do EITHER:
    – Link to an existing incident by IP address OR
    – Create a new incident

(The goal is to automatically group Incident Reports by IP address instead
of doing it manually.)

Ruslan wrote back saying:

It’s totally doable with scrips. RTIR itself has a lot of examples
with bits you need. Basicly you need:

When IR is created with and IP is set or when IP is changed from no
value to a value, link to existing incident or create a new one. First
part is a condition and second part is an action.

For example lib/RT/Condition/RTIR_
BlockActivation.pm is quite close.
Checks whether ticket is created with active state or state is changed
to active.

Action is not that straightforward, but try it and if you have
problems return back to us with detailed questions.

OK lets talk about the Condition first…

Is this enough to trigger the condition?
my $self = shift;
my $txn = $self->TransactionObj;
my $type = $txn->Type;
return 1 if $type eq ‘Create’
&& ($self->TicketObj->FirstCustomFieldValue(‘_RTIR_IP’));

The other thing is the action… I really don’t know where to start on the
action. I know its going to be lengthy though because there’s some checks
has to do itself to decide what the exact course of action will be.

Here’s what it should do, I think:

  • foreach IP address in _RTIR_IP
    – Look for an Incident that contains that IP address
    – When it finds one, LINK to that Incident
    – If it does not find one, create a new Incident

There will probably need to be a list of exclusions somewhere. For example
if someone does a lookup on a domain we host and sends a complaint about it
they might sent the domain name, the IP address it resolves to as well as
the IP address of our name server. I wouldn’t want every report that
contained the IP address our name server linked to a common Incident.

Also there’s a what if here… What if they report two IP addresses that
already each have an Incident created for them. Would I merge them all
together into one Incident?

Any ideas on where to start writing the action and reviewing the condition
above would be appreciated. On or off list is fine with me.

Thank you!


Landon Stewart LStewart@SUPERB.NET
SuperbHosting.Net by Superb Internet Corp.
Toll Free (US/Canada): 888-354-6128 x 4199
Direct: 206-438-5879
Web hosting and more “Ahead of the Rest”: http://www.superbhosting.net

Best regards, Ruslan.