I'm using Best Practical "Request Tracker 4" as my ticketing system, and I'm trying to pull the data in to Splunk for dashboarding purposes.
Currently I have it set up on DBConnect, but there is a horrible one-to-many database set up where the same field names are used in multiple sourcetypes, making the Splunk searches having to use a lot of join and append commands. The other issue is the lastupdated field vs the createddate field and getting accurate information.
We've found a better way, but I need help on improving it. Currently we:
1. Delete the current index of data since the values of recent tickets have probably changed since the last import
2. Export the CSV
3. Import in to Splunk
Is there a way I can have a Splunk UF monitor a directory, import the CSV into perhaps a summary index, overwriting the old data with each import? Does the UF allow importing into a lookup?
NOTE: I'm using Splunk Cloud, and have Heavy Forwarders on premise.
