topic Create alert which contains data from log previous to trigger in Splunk Dev https://community.splunk.com/t5/Splunk-Dev/Create-alert-which-contains-data-from-log-previous-to-trigger/m-p/437153#M7882 <P>Hello,</P> <P>I'm trying to create an alert which will be triggered by a field in a log file and extract the data earlier in the log to assist with troubleshooting.</P> <P>Extract of log with error below. I have highlighted the error I need to identify and the data previous to the error which I need to send.</P> <P>I've created a field for Invoice number which I want to be the trigger for the alert and then return the rows I need but having trouble how to do this.</P> <P>2018-10-08 05:12:28,564|INFO |Application|api/v{api-version:apiVersion}/invoices/CreateInvoice POST : request : {<BR /> <STRONG>"ApprovalCode": "1112_23",<BR /> "BailmentDealerCode": "1112",<BR /> "InvoiceNumber": "0090328322",<BR /> "InvoiceDate": "2018-10-03",<BR /> "BailmentLoanModelCode": "HN270",<BR /> "Condition": "New",<BR /> "DivisionCode": "MC",<BR /> "AssetDetails": {<BR /> "Description": "CRF150FJU232 RED",<BR /> "Model": "CRF150FJUR1998923",<BR /> "VINHIN": "12380238104191",<BR /> "Colour": "EXTREME RED",<BR /> "EngineNumber": "J700635",<BR /> "Registration": "",<BR /> "YearOfManufacture": 2018,<BR /> "SecurityMake": "H"<BR /> },<BR /> "GrossAmount": 4552.9,<BR /> "TaxAmount": 413.9</STRONG><BR /> }|(null)|18|<BR /> 2018-10-08 05:12:28,611|INFO |Application|wu authenticated|(null)|18|<BR /> 2018-10-08 05:12:29,408|INFO |Application|Start Bailment Acct creation|(null)|18|<BR /> 2018-10-08 05:12:29,454|INFO |Application|Start persist new Bailment Acct TR38656|(null)|18|<BR /> 2018-10-08 05:12:29,486|ERROR|NHibernate.AdoNet.AbstractBatcher|Could not execute query: INSERT INTO <A href="https://community.splunk.com/Version,%20RecordState,%20Description,%20ModelNumber,%20VINHIN,%20EngineNumber,%20Registration,%20YearOfManufacture,%20DistributorInvoiceNumber,%20Color,%20SecurityMakeId" target="_blank">BailmentAsset</A> VALUES (@p0, @p1, @Anonymous, @p3, @p4, @p5, @p6, @p7, @p8, @p9, @p10); select SCOPE_IDENTITY()|(null)|18|<BR /> System.Data.SqlClient.SqlException (0x80131904): BailmentAsset with matching Engine Number already exists!<BR /> The transaction ended in the trigger. The batch has been aborted.<BR /> at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action<CODE>1 wrapCloseInAction)<BR /> at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection, Action</CODE>1 wrapCloseInAction)<BR /> at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose)<BR /> at System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean&amp; dataReady)<BR /> at System.Data.SqlClient.SqlDataReader.TryConsumeMetaData()<BR /> at System.Data.SqlClient.SqlDataReader.get_MetaData()<BR /> at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString, Boolean isInternal, Boolean forDescribeParameterEncryption)<BR /> at System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async, Int32 timeout, Task&amp; task, Boolean asyncWrite, Boolean inRetry, SqlDataReader ds, Boolean describeParameterEncryptionRequest)<BR /> at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, TaskCompletionSource`1 completion, Int32 timeout, Task&amp; task, Boolean&amp; usedCache, Boolean asyncWrite, Boolean inRetry)<BR /> at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method)<BR /> at System.Data.SqlClient.SqlCommand.ExecuteReader(CommandBehavior behavior, String method)<BR /> at System.Data.SqlClient.SqlCommand.ExecuteDbDataReader(CommandBehavior behavior)<BR /> at System.Data.Common.DbCommand.System.Data.IDbCommand.ExecuteReader()<BR /> at NHibernate.AdoNet.AbstractBatcher.ExecuteReader(IDbCommand cmd)<BR /> ClientConnectionId:8e49ad53-df84-494a-a067-b1a443a562ec<BR /> Error Number:50000,State:1,Class:16<BR /> 2018-10-08 05:12:29,486|ERROR|NHibernate.Util.ADOExceptionReporter|BailmentAsset with matching Engine Number already exists!<BR /> The transaction ended in the trigger. The batch has been aborted.|(null)|18|<BR /> 2018-10-08 05:12:29,486|INFO |Application|api/v{api-version:apiVersion}/invoices/CreateInvoice POST : response : {<BR /> "Success": false,<BR /> <STRONG>"ErrorMessage": "Account could not be created for Invoice number: 0090328322; Reason: The Bailment Asset could not be saved as it has the same Engine Number as an existing bailment asset; VIN/HIN: 12380238104191; Asset value: $4,139.00\r\n",</STRONG><BR /> "DocumentNumber": null<BR /> }|(null)|18|</P> Tue, 29 Sep 2020 21:42:29 GMT huu_huynh 2020-09-29T21:42:29Z Create alert which contains data from log previous to trigger https://community.splunk.com/t5/Splunk-Dev/Create-alert-which-contains-data-from-log-previous-to-trigger/m-p/437153#M7882 <P>Hello,</P> <P>I'm trying to create an alert which will be triggered by a field in a log file and extract the data earlier in the log to assist with troubleshooting.</P> <P>Extract of log with error below. I have highlighted the error I need to identify and the data previous to the error which I need to send.</P> <P>I've created a field for Invoice number which I want to be the trigger for the alert and then return the rows I need but having trouble how to do this.</P> <P>2018-10-08 05:12:28,564|INFO |Application|api/v{api-version:apiVersion}/invoices/CreateInvoice POST : request : {<BR /> <STRONG>"ApprovalCode": "1112_23",<BR /> "BailmentDealerCode": "1112",<BR /> "InvoiceNumber": "0090328322",<BR /> "InvoiceDate": "2018-10-03",<BR /> "BailmentLoanModelCode": "HN270",<BR /> "Condition": "New",<BR /> "DivisionCode": "MC",<BR /> "AssetDetails": {<BR /> "Description": "CRF150FJU232 RED",<BR /> "Model": "CRF150FJUR1998923",<BR /> "VINHIN": "12380238104191",<BR /> "Colour": "EXTREME RED",<BR /> "EngineNumber": "J700635",<BR /> "Registration": "",<BR /> "YearOfManufacture": 2018,<BR /> "SecurityMake": "H"<BR /> },<BR /> "GrossAmount": 4552.9,<BR /> "TaxAmount": 413.9</STRONG><BR /> }|(null)|18|<BR /> 2018-10-08 05:12:28,611|INFO |Application|wu authenticated|(null)|18|<BR /> 2018-10-08 05:12:29,408|INFO |Application|Start Bailment Acct creation|(null)|18|<BR /> 2018-10-08 05:12:29,454|INFO |Application|Start persist new Bailment Acct TR38656|(null)|18|<BR /> 2018-10-08 05:12:29,486|ERROR|NHibernate.AdoNet.AbstractBatcher|Could not execute query: INSERT INTO <A href="https://community.splunk.com/Version,%20RecordState,%20Description,%20ModelNumber,%20VINHIN,%20EngineNumber,%20Registration,%20YearOfManufacture,%20DistributorInvoiceNumber,%20Color,%20SecurityMakeId" target="_blank">BailmentAsset</A> VALUES (@p0, @p1, @Anonymous, @p3, @p4, @p5, @p6, @p7, @p8, @p9, @p10); select SCOPE_IDENTITY()|(null)|18|<BR /> System.Data.SqlClient.SqlException (0x80131904): BailmentAsset with matching Engine Number already exists!<BR /> The transaction ended in the trigger. The batch has been aborted.<BR /> at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action<CODE>1 wrapCloseInAction)<BR /> at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection, Action</CODE>1 wrapCloseInAction)<BR /> at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose)<BR /> at System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean&amp; dataReady)<BR /> at System.Data.SqlClient.SqlDataReader.TryConsumeMetaData()<BR /> at System.Data.SqlClient.SqlDataReader.get_MetaData()<BR /> at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString, Boolean isInternal, Boolean forDescribeParameterEncryption)<BR /> at System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async, Int32 timeout, Task&amp; task, Boolean asyncWrite, Boolean inRetry, SqlDataReader ds, Boolean describeParameterEncryptionRequest)<BR /> at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, TaskCompletionSource`1 completion, Int32 timeout, Task&amp; task, Boolean&amp; usedCache, Boolean asyncWrite, Boolean inRetry)<BR /> at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method)<BR /> at System.Data.SqlClient.SqlCommand.ExecuteReader(CommandBehavior behavior, String method)<BR /> at System.Data.SqlClient.SqlCommand.ExecuteDbDataReader(CommandBehavior behavior)<BR /> at System.Data.Common.DbCommand.System.Data.IDbCommand.ExecuteReader()<BR /> at NHibernate.AdoNet.AbstractBatcher.ExecuteReader(IDbCommand cmd)<BR /> ClientConnectionId:8e49ad53-df84-494a-a067-b1a443a562ec<BR /> Error Number:50000,State:1,Class:16<BR /> 2018-10-08 05:12:29,486|ERROR|NHibernate.Util.ADOExceptionReporter|BailmentAsset with matching Engine Number already exists!<BR /> The transaction ended in the trigger. The batch has been aborted.|(null)|18|<BR /> 2018-10-08 05:12:29,486|INFO |Application|api/v{api-version:apiVersion}/invoices/CreateInvoice POST : response : {<BR /> "Success": false,<BR /> <STRONG>"ErrorMessage": "Account could not be created for Invoice number: 0090328322; Reason: The Bailment Asset could not be saved as it has the same Engine Number as an existing bailment asset; VIN/HIN: 12380238104191; Asset value: $4,139.00\r\n",</STRONG><BR /> "DocumentNumber": null<BR /> }|(null)|18|</P> Tue, 29 Sep 2020 21:42:29 GMT https://community.splunk.com/t5/Splunk-Dev/Create-alert-which-contains-data-from-log-previous-to-trigger/m-p/437153#M7882 huu_huynh 2020-09-29T21:42:29Z