Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Create alert which contains data from log previous to trigger

huu_huynh
New Member
‎10-17-2018 07:50 PM

Hello,

I'm trying to create an alert which will be triggered by a field in a log file and extract the data earlier in the log to assist with troubleshooting.

Extract of log with error below. I have highlighted the error I need to identify and the data previous to the error which I need to send.

I've created a field for Invoice number which I want to be the trigger for the alert and then return the rows I need but having trouble how to do this.

2018-10-08 05:12:28,564|INFO |Application|api/v{api-version:apiVersion}/invoices/CreateInvoice POST : request : {
"ApprovalCode": "1112_23",
"BailmentDealerCode": "1112",
"InvoiceNumber": "0090328322",
"InvoiceDate": "2018-10-03",
"BailmentLoanModelCode": "HN270",
"Condition": "New",
"DivisionCode": "MC",
"AssetDetails": {
"Description": "CRF150FJU232 RED",
"Model": "CRF150FJUR1998923",
"VINHIN": "12380238104191",
"Colour": "EXTREME RED",
"EngineNumber": "J700635",
"Registration": "",
"YearOfManufacture": 2018,
"SecurityMake": "H"
},
"GrossAmount": 4552.9,
"TaxAmount": 413.9
}|(null)|18|
2018-10-08 05:12:28,611|INFO |Application|wu authenticated|(null)|18|
2018-10-08 05:12:29,408|INFO |Application|Start Bailment Acct creation|(null)|18|
2018-10-08 05:12:29,454|INFO |Application|Start persist new Bailment Acct TR38656|(null)|18|
2018-10-08 05:12:29,486|ERROR|NHibernate.AdoNet.AbstractBatcher|Could not execute query: INSERT INTO BailmentAsset VALUES (@p0, @p1, @Anonymous, @p3, @p4, @p5, @p6, @p7, @p8, @p9, @p10); select SCOPE_IDENTITY()|(null)|18|
System.Data.SqlClient.SqlException (0x80131904): BailmentAsset with matching Engine Number already exists!
The transaction ended in the trigger. The batch has been aborted.
at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action1 wrapCloseInAction)
at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection, Action1 wrapCloseInAction)
at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose)
at System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean& dataReady)
at System.Data.SqlClient.SqlDataReader.TryConsumeMetaData()
at System.Data.SqlClient.SqlDataReader.get_MetaData()
at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString, Boolean isInternal, Boolean forDescribeParameterEncryption)
at System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async, Int32 timeout, Task& task, Boolean asyncWrite, Boolean inRetry, SqlDataReader ds, Boolean describeParameterEncryptionRequest)
at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, TaskCompletionSource`1 completion, Int32 timeout, Task& task, Boolean& usedCache, Boolean asyncWrite, Boolean inRetry)
at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method)
at System.Data.SqlClient.SqlCommand.ExecuteReader(CommandBehavior behavior, String method)
at System.Data.SqlClient.SqlCommand.ExecuteDbDataReader(CommandBehavior behavior)
at System.Data.Common.DbCommand.System.Data.IDbCommand.ExecuteReader()
at NHibernate.AdoNet.AbstractBatcher.ExecuteReader(IDbCommand cmd)
ClientConnectionId:8e49ad53-df84-494a-a067-b1a443a562ec
Error Number:50000,State:1,Class:16
2018-10-08 05:12:29,486|ERROR|NHibernate.Util.ADOExceptionReporter|BailmentAsset with matching Engine Number already exists!
The transaction ended in the trigger. The batch has been aborted.|(null)|18|
2018-10-08 05:12:29,486|INFO |Application|api/v{api-version:apiVersion}/invoices/CreateInvoice POST : response : {
"Success": false,
"ErrorMessage": "Account could not be created for Invoice number: 0090328322; Reason: The Bailment Asset could not be saved as it has the same Engine Number as an existing bailment asset; VIN/HIN: 12380238104191; Asset value: $4,139.00\r\n",
"DocumentNumber": null
}|(null)|18|

Tags (1)
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...