データテンプレート：インシデント管理

WITH BaseIncidents AS (
    SELECT 
        hpd.Incident_Number AS IncidentId,
        hpd.Submit_Date,
        hpd.Last_Resolved_Date,
        hpd.Closed_Date,
        hpd.Company,
        hpd.Description,
        hpd.Categorization_Tier_1, 
        hpd.Categorization_Tier_2, 
        hpd.Categorization_Tier_3,
        hpd.Priority,
        hpd.Urgency AS Severity, -- Using Urgency as Severity is a common practice
        hpd.Assigned_Group,
        hpd.Assignee,
        hpd.Status
    FROM HPD_Help_Desk hpd
    WHERE hpd.Submit_Date >= '{start_date}' AND hpd.Submit_Date < '{end_date}'
    -- Optional: Filter by a specific company if needed
    -- AND hpd.Company = '[Your Company Name]'
)
-- 1. Incident Reported
SELECT 
    bi.IncidentId AS IncidentId,
    'Incident Reported' AS ActivityName,
    DATEADD(s, bi.Submit_Date, '1970-01-01') AS EventTimestamp,
    'Bmc Helix' AS SourceSystem,
    GETUTCDATE() AS LastDataUpdate,
    'New' AS IncidentStatus,
    bi.Priority,
    bi.Severity,
    bi.Assigned_Group AS AssignedSupportGroup,
    bi.Assignee AS AssignedAgent,
    bi.Categorization_Tier_1 + ' / ' + bi.Categorization_Tier_2 + ' / ' + bi.Categorization_Tier_3 AS IncidentCategory,
    NULL AS SLAStatus
FROM BaseIncidents bi
UNION ALL
-- 2. Incident Categorized (approximated at submission time)
SELECT 
    bi.IncidentId AS IncidentId,
    'Incident Categorized' AS ActivityName,
    DATEADD(s, bi.Submit_Date + 1, '1970-01-01') AS EventTimestamp, -- Adding 1 second to ensure order
    'Bmc Helix' AS SourceSystem,
    GETUTCDATE() AS LastDataUpdate,
    'New' AS IncidentStatus,
    bi.Priority,
    bi.Severity,
    bi.Assigned_Group AS AssignedSupportGroup,
    bi.Assignee AS AssignedAgent,
    bi.Categorization_Tier_1 + ' / ' + bi.Categorization_Tier_2 + ' / ' + bi.Categorization_Tier_3 AS IncidentCategory,
    NULL AS SLAStatus
FROM BaseIncidents bi
UNION ALL
-- 3. Assigned to Support Group (first assignment)
SELECT
    log.Incident_Number,
    'Assigned to Support Group' AS ActivityName,
    DATEADD(s, log.Assignment_Date, '1970-01-01') AS EventTimestamp,
    'Bmc Helix' AS SourceSystem,
    GETUTCDATE() AS LastDataUpdate,
    'Assigned' AS IncidentStatus,
    bi.Priority,
    bi.Severity,
    log.Assigned_Group AS AssignedSupportGroup,
    log.Assignee AS AssignedAgent,
    bi.Categorization_Tier_1 + ' / ' + bi.Categorization_Tier_2 + ' / ' + bi.Categorization_Tier_3 AS IncidentCategory,
    NULL AS SLAStatus
FROM HPD_Assignment_Log log
JOIN BaseIncidents bi ON log.Incident_Number = bi.IncidentId
WHERE log.Request_Type = 'Assignee'
AND log.Assignment_Date = (SELECT MIN(sub.Assignment_Date) FROM HPD_Assignment_Log sub WHERE sub.Incident_Number = log.Incident_Number AND sub.Request_Type = 'Assignee')
UNION ALL
-- 4. Investigation Started (Status moves to 'In Progress')
SELECT 
    bi.IncidentId,
    'Investigation Started' AS ActivityName,
    DATEADD(s, al.Log_Date, '1970-01-01') AS EventTimestamp,
    'Bmc Helix' AS SourceSystem,
    GETUTCDATE() AS LastDataUpdate,
    'In Progress' AS IncidentStatus,
    bi.Priority,
    bi.Severity,
    bi.Assigned_Group AS AssignedSupportGroup,
    bi.Assignee AS AssignedAgent,
    bi.Categorization_Tier_1 + ' / ' + bi.Categorization_Tier_2 + ' / ' + bi.Categorization_Tier_3 AS IncidentCategory,
    NULL AS SLAStatus
FROM HPD_Help_Desk_AuditLogSystem al
JOIN BaseIncidents bi ON al.Original_Request_ID = bi.IncidentId
WHERE al.Fields_Changed LIKE '%Status%' AND al.New_Value_of_Field = '2' -- 2 = In Progress
AND al.Log_Date = (SELECT MIN(sub.Log_Date) FROM HPD_Help_Desk_AuditLogSystem sub WHERE sub.Original_Request_ID = al.Original_Request_ID AND sub.Fields_Changed LIKE '%Status%' AND sub.New_Value_of_Field = '2')
UNION ALL
-- 5. Transferred to Another Group (subsequent assignments)
SELECT
    log.Incident_Number,
    'Transferred to Another Group' AS ActivityName,
    DATEADD(s, log.Assignment_Date, '1970-01-01') AS EventTimestamp,
    'Bmc Helix' AS SourceSystem,
    GETUTCDATE() AS LastDataUpdate,
    'Assigned' AS IncidentStatus,
    bi.Priority,
    bi.Severity,
    log.Assigned_Group AS AssignedSupportGroup,
    log.Assignee AS AssignedAgent,
    bi.Categorization_Tier_1 + ' / ' + bi.Categorization_Tier_2 + ' / ' + bi.Categorization_Tier_3 AS IncidentCategory,
    NULL AS SLAStatus
FROM HPD_Assignment_Log log
JOIN BaseIncidents bi ON log.Incident_Number = bi.IncidentId
WHERE log.Request_Type = 'Assignee'
AND log.Assignment_Date > (SELECT MIN(sub.Assignment_Date) FROM HPD_Assignment_Log sub WHERE sub.Incident_Number = log.Incident_Number AND sub.Request_Type = 'Assignee')
UNION ALL
-- 6. Workaround Implemented (Using status reason as an indicator, may need adjustment)
SELECT 
    bi.IncidentId,
    'Workaround Implemented' AS ActivityName,
    DATEADD(s, al.Log_Date, '1970-01-01') AS EventTimestamp,
    'Bmc Helix' AS SourceSystem,
    GETUTCDATE() AS LastDataUpdate,
    'Pending' AS IncidentStatus, -- Often associated with a Pending status
    bi.Priority,
    bi.Severity,
    bi.Assigned_Group AS AssignedSupportGroup,
    bi.Assignee AS AssignedAgent,
    bi.Categorization_Tier_1 + ' / ' + bi.Categorization_Tier_2 + ' / ' + bi.Categorization_Tier_3 AS IncidentCategory,
    NULL AS SLAStatus
FROM HPD_Help_Desk_AuditLogSystem al
JOIN BaseIncidents bi ON al.Original_Request_ID = bi.IncidentId
WHERE al.Fields_Changed LIKE '%Status_Reason%' AND al.New_Value_of_Field LIKE '%Workaround%'
UNION ALL
-- 7. Incident Put On Hold (Status moves to 'Pending')
SELECT 
    bi.IncidentId,
    'Incident Put On Hold' AS ActivityName,
    DATEADD(s, al.Log_Date, '1970-01-01') AS EventTimestamp,
    'Bmc Helix' AS SourceSystem,
    GETUTCDATE() AS LastDataUpdate,
    'Pending' AS IncidentStatus,
    bi.Priority,
    bi.Severity,
    bi.Assigned_Group AS AssignedSupportGroup,
    bi.Assignee AS AssignedAgent,
    bi.Categorization_Tier_1 + ' / ' + bi.Categorization_Tier_2 + ' / ' + bi.Categorization_Tier_3 AS IncidentCategory,
    NULL AS SLAStatus
FROM HPD_Help_Desk_AuditLogSystem al
JOIN BaseIncidents bi ON al.Original_Request_ID = bi.IncidentId
WHERE al.Fields_Changed LIKE '%Status%' AND al.New_Value_of_Field = '3' -- 3 = Pending
UNION ALL
-- 8. Pending Status Resumed (Status moves from 'Pending' back to 'In Progress')
SELECT 
    bi.IncidentId,
    'Pending Status Resumed' AS ActivityName,
    DATEADD(s, al.Log_Date, '1970-01-01') AS EventTimestamp,
    'Bmc Helix' AS SourceSystem,
    GETUTCDATE() AS LastDataUpdate,
    'In Progress' AS IncidentStatus,
    bi.Priority,
    bi.Severity,
    bi.Assigned_Group AS AssignedSupportGroup,
    bi.Assignee AS AssignedAgent,
    bi.Categorization_Tier_1 + ' / ' + bi.Categorization_Tier_2 + ' / ' + bi.Categorization_Tier_3 AS IncidentCategory,
    NULL AS SLAStatus
FROM HPD_Help_Desk_AuditLogSystem al
JOIN BaseIncidents bi ON al.Original_Request_ID = bi.IncidentId
WHERE al.Fields_Changed LIKE '%Status%' AND al.New_Value_of_Field = '2' AND al.Old_Value_of_Field = '3' -- 2 = In Progress, 3 = Pending
UNION ALL
-- 9. Resolution Identified (Using Last_Resolved_Date)
SELECT 
    bi.IncidentId,
    'Resolution Identified' AS ActivityName,
    DATEADD(s, bi.Last_Resolved_Date, '1970-01-01') AS EventTimestamp,
    'Bmc Helix' AS SourceSystem,
    GETUTCDATE() AS LastDataUpdate,
    'Resolved' AS IncidentStatus,
    bi.Priority,
    bi.Severity,
    bi.Assigned_Group AS AssignedSupportGroup,
    bi.Assignee AS AssignedAgent,
    bi.Categorization_Tier_1 + ' / ' + bi.Categorization_Tier_2 + ' / ' + bi.Categorization_Tier_3 AS IncidentCategory,
    NULL AS SLAStatus
FROM BaseIncidents bi
WHERE bi.Last_Resolved_Date IS NOT NULL
UNION ALL
-- 10. Incident Resolved (Status moves to 'Resolved')
SELECT 
    bi.IncidentId,
    'Incident Resolved' AS ActivityName,
    DATEADD(s, bi.Last_Resolved_Date, '1970-01-01') AS EventTimestamp,
    'Bmc Helix' AS SourceSystem,
    GETUTCDATE() AS LastDataUpdate,
    'Resolved' AS IncidentStatus,
    bi.Priority,
    bi.Severity,
    bi.Assigned_Group AS AssignedSupportGroup,
    bi.Assignee AS AssignedAgent,
    bi.Categorization_Tier_1 + ' / ' + bi.Categorization_Tier_2 + ' / ' + bi.Categorization_Tier_3 AS IncidentCategory,
    NULL AS SLAStatus
FROM BaseIncidents bi
WHERE bi.Last_Resolved_Date IS NOT NULL
UNION ALL
-- 11. User Confirmation Received (Approximated as Closed Date)
SELECT 
    bi.IncidentId,
    'User Confirmation Received' AS ActivityName,
    DATEADD(s, bi.Closed_Date - 1, '1970-01-01') AS EventTimestamp, -- 1 second before closure
    'Bmc Helix' AS SourceSystem,
    GETUTCDATE() AS LastDataUpdate,
    'Closed' AS IncidentStatus,
    bi.Priority,
    bi.Severity,
    bi.Assigned_Group AS AssignedSupportGroup,
    bi.Assignee AS AssignedAgent,
    bi.Categorization_Tier_1 + ' / ' + bi.Categorization_Tier_2 + ' / ' + bi.Categorization_Tier_3 AS IncidentCategory,
    NULL AS SLAStatus
FROM BaseIncidents bi
WHERE bi.Closed_Date IS NOT NULL AND bi.Last_Resolved_Date IS NOT NULL AND bi.Status = 5
UNION ALL
-- 12. Incident Reopened
SELECT 
    bi.IncidentId,
    'Incident Reopened' AS ActivityName,
    DATEADD(s, al.Log_Date, '1970-01-01') AS EventTimestamp,
    'Bmc Helix' AS SourceSystem,
    GETUTCDATE() AS LastDataUpdate,
    'In Progress' AS IncidentStatus,
    bi.Priority,
    bi.Severity,
    bi.Assigned_Group AS AssignedSupportGroup,
    bi.Assignee AS AssignedAgent,
    bi.Categorization_Tier_1 + ' / ' + bi.Categorization_Tier_2 + ' / ' + bi.Categorization_Tier_3 AS IncidentCategory,
    NULL AS SLAStatus
FROM HPD_Help_Desk_AuditLogSystem al
JOIN BaseIncidents bi ON al.Original_Request_ID = bi.IncidentId
WHERE al.Fields_Changed LIKE '%Status%' AND al.New_Value_of_Field IN ('1', '2') AND al.Old_Value_of_Field IN ('4', '5') -- From Resolved/Closed to Assigned/In Progress
UNION ALL
-- 13. SLA Breach Detected
SELECT 
    bi.IncidentId,
    'SLA Breach Detected' AS ActivityName,
    DATEADD(s, slm.OverallStopTime, '1970-01-01') AS EventTimestamp,
    'Bmc Helix' AS SourceSystem,
    GETUTCDATE() AS LastDataUpdate,
    CASE bi.Status WHEN 4 THEN 'Resolved' WHEN 5 THEN 'Closed' ELSE 'In Progress' END AS IncidentStatus,
    bi.Priority,
    bi.Severity,
    bi.Assigned_Group AS AssignedSupportGroup,
    bi.Assignee AS AssignedAgent,
    bi.Categorization_Tier_1 + ' / ' + bi.Categorization_Tier_2 + ' / ' + bi.Categorization_Tier_3 AS IncidentCategory,
    'Breached' AS SLAStatus
FROM SLM_Measurement slm
JOIN BaseIncidents bi ON slm.ApplicationUserFriendlyID = bi.IncidentId
WHERE slm.GoalStatus = 4 -- 4 = Missed
UNION ALL
-- 14. Incident Closed
SELECT 
    bi.IncidentId,
    'Incident Closed' AS ActivityName,
    DATEADD(s, bi.Closed_Date, '1970-01-01') AS EventTimestamp,
    'Bmc Helix' AS SourceSystem,
    GETUTCDATE() AS LastDataUpdate,
    'Closed' AS IncidentStatus,
    bi.Priority,
    bi.Severity,
    bi.Assigned_Group AS AssignedSupportGroup,
    bi.Assignee AS AssignedAgent,
    bi.Categorization_Tier_1 + ' / ' + bi.Categorization_Tier_2 + ' / ' + bi.Categorization_Tier_3 AS IncidentCategory,
    NULL AS SLAStatus
FROM BaseIncidents bi
WHERE bi.Closed_Date IS NOT NULL AND bi.Status = 5
ORDER BY IncidentId, EventTimestamp;

import requests
import pandas as pd
from datetime import datetime

class=class="hl-string">"hl-comment"># --- Configuration Settings --- 
class=class="hl-string">"hl-comment"># Replace with your BMC Helix environment details
HELIX_URL = class="hl-string">"https://[your-tenant].onbmc.com"
HELIX_USER = class="hl-string">"[YOUR_USERNAME]"
HELIX_PASSWORD = class="hl-string">"[YOUR_PASSWORD]"

class=class="hl-string">"hl-comment"># Define the date range for the extraction (YYYY-MM-DD)
START_DATE = class="hl-string">"[START_DATE]" class=class="hl-string">"hl-comment"># Example: class="hl-string">"2023-01-01"
END_DATE = class="hl-string">"[END_DATE]"     class=class="hl-string">"hl-comment"># Example: class="hl-string">"2023-06-30"

class=class="hl-string">"hl-comment"># Fields to retrieve from the main Incident form
INCIDENT_QUERY_FIELDS = (
    class="hl-string">"'Incident Number', 'Submitter', 'Submit Date', 'Status', 'Status_Reason', "
    class="hl-string">"'Priority', 'Urgency', 'Impact', 'Service Type', 'Assigned Group', 'Assignee', "
    class="hl-string">"'Last Resolved Date', 'Closed Date', 'Company', 'Description', 'Target Date'"
)

PAGE_SIZE = 1000

class=class="hl-string">"hl-comment"># --- Main Script --- 

def get_jwt_token(session, base_url, user, password):
    class="hl-string">"""Authenticates with the API and returns a JWT token."""
    login_url = fclass="hl-string">"{base_url}/api/jwt/login"
    auth_data = {class="hl-string">"username": user, class="hl-string">"password": password}
    try:
        response = session.post(login_url, data=auth_data, headers={class="hl-string">'Content-Type': class="hl-string">'application/x-www-form-urlencoded'})
        response.raise_for_status()
        return response.text
    except requests.exceptions.RequestException as e:
        print(fclass="hl-string">"Error during authentication: {e}")
        return None

def fetch_paginated_data(session, url, params):
    class="hl-string">"""Fetches all pages of data from a given endpoint."""
    all_entries = []
    start_index = 0
    while True:
        params[class="hl-string">'offset'] = start_index
        response = session.get(url, params=params)
        response.raise_for_status()
        data = response.json()
        entries = data.get(class="hl-string">'entries', [])
        all_entries.extend(entries)
        if not entries or len(entries) < params.get(class="hl-string">'limit', PAGE_SIZE):
            break
        start_index += len(entries)
    return all_entries

def map_audit_log_to_activity(log_entry, prev_values):
    class="hl-string">"""Maps audit log changes to specific activity names."""
    fields_changed = log_entry[class="hl-string">'values'].get(class="hl-string">'Fields Changed', class="hl-string">'')
    log_date = datetime.fromisoformat(log_entry[class="hl-string">'values'][class="hl-string">'Log Date'].replace(class="hl-string">'Z', class="hl-string">'+00:00')).isoformat()
    
    class=class="hl-string">"hl-comment"># Status changes
    if class="hl-string">'Status' in fields_changed:
        new_status = log_entry[class="hl-string">'values'].get(class="hl-string">'Status', class="hl-string">'')
        prev_status = prev_values.get(class="hl-string">'Status', class="hl-string">'')
        if prev_status == class="hl-string">'Assigned' and new_status == class="hl-string">'In Progress': return {class="hl-string">'ActivityName': class="hl-string">'Investigation Started', class="hl-string">'Timestamp': log_date}
        if prev_status == class="hl-string">'Pending' and new_status == class="hl-string">'In Progress': return {class="hl-string">'ActivityName': class="hl-string">'Pending Status Resumed', class="hl-string">'Timestamp': log_date}
        if new_status == class="hl-string">'Pending': return {class="hl-string">'ActivityName': class="hl-string">'Incident Put On Hold', class="hl-string">'Timestamp': log_date}
        if new_status == class="hl-string">'Resolved': return {class="hl-string">'ActivityName': class="hl-string">'Incident Resolved', class="hl-string">'Timestamp': log_date}
        if new_status == class="hl-string">'Closed': return {class="hl-string">'ActivityName': class="hl-string">'Incident Closed', class="hl-string">'Timestamp': log_date}
        if prev_status in [class="hl-string">'Resolved', class="hl-string">'Closed'] and new_status in [class="hl-string">'In Progress', class="hl-string">'Assigned']: return {class="hl-string">'ActivityName': class="hl-string">'Incident Reopened', class="hl-string">'Timestamp': log_date}
    
    class=class="hl-string">"hl-comment"># Assignment changes
    if class="hl-string">'Assigned Group' in fields_changed:
        new_group = log_entry[class="hl-string">'values'].get(class="hl-string">'Assigned Group')
        if prev_values.get(class="hl-string">'Assigned Group') is None and new_group is not None: return {class="hl-string">'ActivityName': class="hl-string">'Assigned to Support Group', class="hl-string">'Timestamp': log_date}
        if prev_values.get(class="hl-string">'Assigned Group') is not None and new_group is not None and prev_values.get(class="hl-string">'Assigned Group') != new_group:
            return {class="hl-string">'ActivityName': class="hl-string">'Transferred to Another Group', class="hl-string">'Timestamp': log_date}

    class=class="hl-string">"hl-comment"># Other specific activities
    if class="hl-string">'Service Type' in fields_changed or class="hl-string">'Categorization Tier 1' in fields_changed: return {class="hl-string">'ActivityName': class="hl-string">'Incident Categorized', class="hl-string">'Timestamp': log_date}
    if class="hl-string">'Status_Reason' in fields_changed and log_entry[class="hl-string">'values'].get(class="hl-string">'Status_Reason') == class="hl-string">'Solution Provided': return {class="hl-string">'ActivityName': class="hl-string">'Resolution Identified', class="hl-string">'Timestamp': log_date}
    if class="hl-string">'Status_Reason' in fields_changed and log_entry[class="hl-string">'values'].get(class="hl-string">'Status_Reason') == class="hl-string">'Customer Confirmation': return {class="hl-string">'ActivityName': class="hl-string">'User Confirmation Received', class="hl-string">'Timestamp': log_date}
    if class="hl-string">'z1D_WorkInfoType' in fields_changed and log_entry[class="hl-string">'values'].get(class="hl-string">'z1D_WorkInfoType') == class="hl-string">'Workaround': return {class="hl-string">'ActivityName': class="hl-string">'Workaround Implemented', class="hl-string">'Timestamp': log_date}

    return None

if __name__ == class="hl-string">"__main__":
    event_log = []
    session = requests.Session()

    class=class="hl-string">"hl-comment"># 1. Authenticate
    print(class="hl-string">"Authenticating with BMC Helix...")
    jwt_token = get_jwt_token(session, HELIX_URL, HELIX_USER, HELIX_PASSWORD)
    if not jwt_token:
        exit()
    session.headers.update({class="hl-string">'Authorization': fclass="hl-string">'AR-JWT {jwt_token}'})

    class=class="hl-string">"hl-comment"># 2. Fetch Incidents
    print(fclass="hl-string">"Fetching incidents from {START_DATE} to {END_DATE}...")
    incident_url = fclass="hl-string">"{HELIX_URL}/api/arsys/v1/entry/HPD:Help Desk"
    qualification = fclass="hl-string">"'Submit Date' >= \"{START_DATE}T00:00:00Z\class="hl-string">" AND 'Submit Date' <= \"{END_DATE}T23:59:59Z\class="hl-string">""
    params = {class="hl-string">'q': qualification, class="hl-string">'fields': fclass="hl-string">'values({INCIDENT_QUERY_FIELDS})', class="hl-string">'limit': PAGE_SIZE}

    try:
        incidents = fetch_paginated_data(session, incident_url, params)
        print(fclass="hl-string">"Found {len(incidents)} incidents.")

        class=class="hl-string">"hl-comment"># 3. Process each incident
        for i, incident in enumerate(incidents):
            vals = incident[class="hl-string">'values']
            incident_id = vals.get(class="hl-string">'Incident Number')
            if not incident_id:
                continue
            
            print(fclass="hl-string">"Processing Incident {i+1}/{len(incidents)}: {incident_id}")

            base_attributes = {
                class="hl-string">'IncidentId': incident_id,
                class="hl-string">'SourceSystem': class="hl-string">'Bmc Helix',
                class="hl-string">'LastDataUpdate': datetime.now().isoformat(),
                class="hl-string">'Priority': vals.get(class="hl-string">'Priority'),
                class="hl-string">'Severity': vals.get(class="hl-string">'Impact'),
                class="hl-string">'IncidentCategory': vals.get(class="hl-string">'Service Type')
            }
            
            class=class="hl-string">"hl-comment"># Activity: Incident Reported
            event_log.append({
                **base_attributes,
                class="hl-string">'ActivityName': class="hl-string">'Incident Reported',
                class="hl-string">'EventTimestamp': datetime.fromisoformat(vals[class="hl-string">'Submit Date'].replace(class="hl-string">'Z', class="hl-string">'+00:00')).isoformat(),
                class="hl-string">'IncidentStatus': class="hl-string">'New',
                class="hl-string">'AssignedSupportGroup': vals.get(class="hl-string">'Assigned Group'),
                class="hl-string">'AssignedAgent': vals.get(class="hl-string">'Assignee'),
                class="hl-string">'SLAStatus': class="hl-string">'In Progress'
            })

            class=class="hl-string">"hl-comment"># 4. Fetch Audit Log
            audit_url = fclass="hl-string">"{HELIX_URL}/api/arsys/v1/entry/HPD:HelpDesk_AuditLogSystem"
            audit_params = {
                class="hl-string">'q': fclass="hl-string">"'Incident Number' = \"{incident_id}\class="hl-string">"",
                class="hl-string">'fields': class="hl-string">"values(Log Date, Fields Changed, Status, Assigned Group, Status_Reason, z1D_WorkInfoType, Service Type, Categorization Tier 1)",
                class="hl-string">'sort': class="hl-string">'Log Date.asc'
            }
            audit_logs = fetch_paginated_data(session, audit_url, audit_params)

            class=class="hl-string">"hl-comment"># 5. Map audit log to activities
            current_values = {class="hl-string">'Status': class="hl-string">'New', class="hl-string">'Assigned Group': None}
            for log in audit_logs:
                activity_info = map_audit_log_to_activity(log, current_values)
                if activity_info:
                    event_log.append({
                        **base_attributes,
                        class="hl-string">'ActivityName': activity_info[class="hl-string">'ActivityName'],
                        class="hl-string">'EventTimestamp': activity_info[class="hl-string">'Timestamp'],
                        class="hl-string">'IncidentStatus': log[class="hl-string">'values'].get(class="hl-string">'Status', current_values[class="hl-string">'Status']),
                        class="hl-string">'AssignedSupportGroup': log[class="hl-string">'values'].get(class="hl-string">'Assigned Group', current_values.get(class="hl-string">'Assigned Group')),
                        class="hl-string">'AssignedAgent': None, class=class="hl-string">"hl-comment"># Assignee not typically in audit log
                        class="hl-string">'SLAStatus': class="hl-string">'In Progress' class=class="hl-string">"hl-comment"># Simplified
                    })
                class=class="hl-string">"hl-comment"># Update current values for next iteration
                current_values[class="hl-string">'Status'] = log[class="hl-string">'values'].get(class="hl-string">'Status', current_values[class="hl-string">'Status'])
                current_values[class="hl-string">'Assigned Group'] = log[class="hl-string">'values'].get(class="hl-string">'Assigned Group', current_values.get(class="hl-string">'Assigned Group'))

            class=class="hl-string">"hl-comment"># Activity: SLA Breach Detected (Calculated)
            resolved_date_str = vals.get(class="hl-string">'Last Resolved Date')
            target_date_str = vals.get(class="hl-string">'Target Date')
            if resolved_date_str and target_date_str:
                resolved_date = datetime.fromisoformat(resolved_date_str.replace(class="hl-string">'Z', class="hl-string">'+00:00'))
                target_date = datetime.fromisoformat(target_date_str.replace(class="hl-string">'Z', class="hl-string">'+00:00'))
                if resolved_date > target_date:
                     event_log.append({
                        **base_attributes,
                        class="hl-string">'ActivityName': class="hl-string">'SLA Breach Detected',
                        class="hl-string">'EventTimestamp': target_date.isoformat(),
                        class="hl-string">'IncidentStatus': vals.get(class="hl-string">'Status'),
                        class="hl-string">'AssignedSupportGroup': vals.get(class="hl-string">'Assigned Group'),
                        class="hl-string">'AssignedAgent': vals.get(class="hl-string">'Assignee'),
                        class="hl-string">'SLAStatus': class="hl-string">'Breached'
                    })

    except requests.exceptions.RequestException as e:
        print(fclass="hl-string">"An API error occurred: {e}")
    except Exception as e:
        print(fclass="hl-string">"An unexpected error occurred: {e}")

    class=class="hl-string">"hl-comment"># 6. Export to CSV
    if event_log:
        print(class="hl-string">"Exporting event log to CSV...")
        df = pd.DataFrame(event_log)
        df = df.sort_values(by=[class="hl-string">'IncidentId', class="hl-string">'EventTimestamp'])
        df.to_csv(class="hl-string">'bmc_helix_incident_event_log.csv', index=False)
        print(class="hl-string">"Extraction complete. File 'bmc_helix_incident_event_log.csv' created.")
    else:
        print(class="hl-string">"No events were generated.")