Splunk Dev

Create alert which contains data from log previous to trigger

huu_huynh
New Member

Hello,

I'm trying to create an alert which will be triggered by a field in a log file and extract the data earlier in the log to assist with troubleshooting.

Extract of log with error below. I have highlighted the error I need to identify and the data previous to the error which I need to send.

I've created a field for Invoice number which I want to be the trigger for the alert and then return the rows I need but having trouble how to do this.

2018-10-08 05:12:28,564|INFO |Application|api/v{api-version:apiVersion}/invoices/CreateInvoice POST : request : {
"ApprovalCode": "1112_23",
"BailmentDealerCode": "1112",
"InvoiceNumber": "0090328322",
"InvoiceDate": "2018-10-03",
"BailmentLoanModelCode": "HN270",
"Condition": "New",
"DivisionCode": "MC",
"AssetDetails": {
"Description": "CRF150FJU232 RED",
"Model": "CRF150FJUR1998923",
"VINHIN": "12380238104191",
"Colour": "EXTREME RED",
"EngineNumber": "J700635",
"Registration": "",
"YearOfManufacture": 2018,
"SecurityMake": "H"
},
"GrossAmount": 4552.9,
"TaxAmount": 413.9

}|(null)|18|
2018-10-08 05:12:28,611|INFO |Application|wu authenticated|(null)|18|
2018-10-08 05:12:29,408|INFO |Application|Start Bailment Acct creation|(null)|18|
2018-10-08 05:12:29,454|INFO |Application|Start persist new Bailment Acct TR38656|(null)|18|
2018-10-08 05:12:29,486|ERROR|NHibernate.AdoNet.AbstractBatcher|Could not execute query: INSERT INTO BailmentAsset VALUES (@p0, @p1, @Anonymous, @p3, @p4, @p5, @p6, @p7, @p8, @p9, @p10); select SCOPE_IDENTITY()|(null)|18|
System.Data.SqlClient.SqlException (0x80131904): BailmentAsset with matching Engine Number already exists!
The transaction ended in the trigger. The batch has been aborted.
at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action1 wrapCloseInAction)
at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection, Action
1 wrapCloseInAction)
at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose)
at System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean& dataReady)
at System.Data.SqlClient.SqlDataReader.TryConsumeMetaData()
at System.Data.SqlClient.SqlDataReader.get_MetaData()
at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString, Boolean isInternal, Boolean forDescribeParameterEncryption)
at System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async, Int32 timeout, Task& task, Boolean asyncWrite, Boolean inRetry, SqlDataReader ds, Boolean describeParameterEncryptionRequest)
at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, TaskCompletionSource`1 completion, Int32 timeout, Task& task, Boolean& usedCache, Boolean asyncWrite, Boolean inRetry)
at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method)
at System.Data.SqlClient.SqlCommand.ExecuteReader(CommandBehavior behavior, String method)
at System.Data.SqlClient.SqlCommand.ExecuteDbDataReader(CommandBehavior behavior)
at System.Data.Common.DbCommand.System.Data.IDbCommand.ExecuteReader()
at NHibernate.AdoNet.AbstractBatcher.ExecuteReader(IDbCommand cmd)
ClientConnectionId:8e49ad53-df84-494a-a067-b1a443a562ec
Error Number:50000,State:1,Class:16
2018-10-08 05:12:29,486|ERROR|NHibernate.Util.ADOExceptionReporter|BailmentAsset with matching Engine Number already exists!
The transaction ended in the trigger. The batch has been aborted.|(null)|18|
2018-10-08 05:12:29,486|INFO |Application|api/v{api-version:apiVersion}/invoices/CreateInvoice POST : response : {
"Success": false,
"ErrorMessage": "Account could not be created for Invoice number: 0090328322; Reason: The Bailment Asset could not be saved as it has the same Engine Number as an existing bailment asset; VIN/HIN: 12380238104191; Asset value: $4,139.00\r\n",
"DocumentNumber": null
}|(null)|18|

Tags (1)
0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...

Data Management Digest – June 2026

Welcome to the June 2026 edition of Data Management Digest! This month’s update is short and sweet, with a ...

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...