I am currently ingesting tickets from Zendesk. I pull in data from the previous day, one script for each:
- Tickets: Any created, in the time range
- Audits: Any updated, in the time range
Tickets are simple, no nested fields. It gives information like
- Created Date
- Subject
- Status
- Requester
Audits are more complicated and contain the remaining information. This could be anything from changing the status to adding a comment. Here's an example:
{
"id": 1234567,
"ticket_id": 1111,
"created_at": "2021-02-15T08:03:15Z",
"author_id": -1,
"metadata": {
"system": {},
"custom": {}
},
"events": [
{
"id": 5555555,
"type": "Change",
"value": "closed",
"field_name": "status",
"previous_value": "solved"
}
],
"via": {
"channel": "rule",
"source": {
"to": {},
"from": {
"deleted": false,
"title": "Notify all users on status change",
"id": 3333333
},
"rel": "automation"
}
}
}
What's the best way to tie this into the data model? I certainly could modify my script to transform the data before ingesting, but I'd prefer Splunk to do the heavy lifting. I'd like to be able to merge in things like comments and time tracking (that data would be under the events array with a unique field_name). For example, only items in the events array that contain field_name "comments" should become "All_Ticket_Management.comments" for the ticket that matches its ID.
