Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Create alert which contains data from log previous to trigger

huu_huynh
New Member
‎10-17-2018 07:50 PM

Hello,

I'm trying to create an alert which will be triggered by a field in a log file and extract the data earlier in the log to assist with troubleshooting.

Extract of log with error below. I have highlighted the error I need to identify and the data previous to the error which I need to send.

I've created a field for Invoice number which I want to be the trigger for the alert and then return the rows I need but having trouble how to do this.

2018-10-08 05:12:28,564|INFO |Application|api/v{api-version:apiVersion}/invoices/CreateInvoice POST : request : {
"ApprovalCode": "1112_23",
"BailmentDealerCode": "1112",
"InvoiceNumber": "0090328322",
"InvoiceDate": "2018-10-03",
"BailmentLoanModelCode": "HN270",
"Condition": "New",
"DivisionCode": "MC",
"AssetDetails": {
"Description": "CRF150FJU232 RED",
"Model": "CRF150FJUR1998923",
"VINHIN": "12380238104191",
"Colour": "EXTREME RED",
"EngineNumber": "J700635",
"Registration": "",
"YearOfManufacture": 2018,
"SecurityMake": "H"
},
"GrossAmount": 4552.9,
"TaxAmount": 413.9
}|(null)|18|
2018-10-08 05:12:28,611|INFO |Application|wu authenticated|(null)|18|
2018-10-08 05:12:29,408|INFO |Application|Start Bailment Acct creation|(null)|18|
2018-10-08 05:12:29,454|INFO |Application|Start persist new Bailment Acct TR38656|(null)|18|
2018-10-08 05:12:29,486|ERROR|NHibernate.AdoNet.AbstractBatcher|Could not execute query: INSERT INTO BailmentAsset VALUES (@p0, @p1, @p2, @p3, @p4, @p5, @p6, @p7, @p8, @p9, @p10); select SCOPE_IDENTITY()|(null)|18|
System.Data.SqlClient.SqlException (0x80131904): BailmentAsset with matching Engine Number already exists!
The transaction ended in the trigger. The batch has been aborted.
at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action1 wrapCloseInAction)
at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection, Action1 wrapCloseInAction)
at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose)
at System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean& dataReady)
at System.Data.SqlClient.SqlDataReader.TryConsumeMetaData()
at System.Data.SqlClient.SqlDataReader.get_MetaData()
at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString, Boolean isInternal, Boolean forDescribeParameterEncryption)
at System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async, Int32 timeout, Task& task, Boolean asyncWrite, Boolean inRetry, SqlDataReader ds, Boolean describeParameterEncryptionRequest)
at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, TaskCompletionSource`1 completion, Int32 timeout, Task& task, Boolean& usedCache, Boolean asyncWrite, Boolean inRetry)
at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method)
at System.Data.SqlClient.SqlCommand.ExecuteReader(CommandBehavior behavior, String method)
at System.Data.SqlClient.SqlCommand.ExecuteDbDataReader(CommandBehavior behavior)
at System.Data.Common.DbCommand.System.Data.IDbCommand.ExecuteReader()
at NHibernate.AdoNet.AbstractBatcher.ExecuteReader(IDbCommand cmd)
ClientConnectionId:8e49ad53-df84-494a-a067-b1a443a562ec
Error Number:50000,State:1,Class:16
2018-10-08 05:12:29,486|ERROR|NHibernate.Util.ADOExceptionReporter|BailmentAsset with matching Engine Number already exists!
The transaction ended in the trigger. The batch has been aborted.|(null)|18|
2018-10-08 05:12:29,486|INFO |Application|api/v{api-version:apiVersion}/invoices/CreateInvoice POST : response : {
"Success": false,
"ErrorMessage": "Account could not be created for Invoice number: 0090328322; Reason: The Bailment Asset could not be saved as it has the same Engine Number as an existing bailment asset; VIN/HIN: 12380238104191; Asset value: $4,139.00\r\n",
"DocumentNumber": null
}|(null)|18|

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...