Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Create alert which contains data from log previous to trigger

huu_huynh
New Member
‎10-17-2018 07:50 PM

Hello,

I'm trying to create an alert which will be triggered by a field in a log file and extract the data earlier in the log to assist with troubleshooting.

Extract of log with error below. I have highlighted the error I need to identify and the data previous to the error which I need to send.

I've created a field for Invoice number which I want to be the trigger for the alert and then return the rows I need but having trouble how to do this.

2018-10-08 05:12:28,564|INFO |Application|api/v{api-version:apiVersion}/invoices/CreateInvoice POST : request : {
"ApprovalCode": "1112_23",
"BailmentDealerCode": "1112",
"InvoiceNumber": "0090328322",
"InvoiceDate": "2018-10-03",
"BailmentLoanModelCode": "HN270",
"Condition": "New",
"DivisionCode": "MC",
"AssetDetails": {
"Description": "CRF150FJU232 RED",
"Model": "CRF150FJUR1998923",
"VINHIN": "12380238104191",
"Colour": "EXTREME RED",
"EngineNumber": "J700635",
"Registration": "",
"YearOfManufacture": 2018,
"SecurityMake": "H"
},
"GrossAmount": 4552.9,
"TaxAmount": 413.9
}|(null)|18|
2018-10-08 05:12:28,611|INFO |Application|wu authenticated|(null)|18|
2018-10-08 05:12:29,408|INFO |Application|Start Bailment Acct creation|(null)|18|
2018-10-08 05:12:29,454|INFO |Application|Start persist new Bailment Acct TR38656|(null)|18|
2018-10-08 05:12:29,486|ERROR|NHibernate.AdoNet.AbstractBatcher|Could not execute query: INSERT INTO BailmentAsset VALUES (@p0, @p1, @Anonymous, @p3, @p4, @p5, @p6, @p7, @p8, @p9, @p10); select SCOPE_IDENTITY()|(null)|18|
System.Data.SqlClient.SqlException (0x80131904): BailmentAsset with matching Engine Number already exists!
The transaction ended in the trigger. The batch has been aborted.
at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action1 wrapCloseInAction)
at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection, Action1 wrapCloseInAction)
at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose)
at System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean& dataReady)
at System.Data.SqlClient.SqlDataReader.TryConsumeMetaData()
at System.Data.SqlClient.SqlDataReader.get_MetaData()
at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString, Boolean isInternal, Boolean forDescribeParameterEncryption)
at System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async, Int32 timeout, Task& task, Boolean asyncWrite, Boolean inRetry, SqlDataReader ds, Boolean describeParameterEncryptionRequest)
at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, TaskCompletionSource`1 completion, Int32 timeout, Task& task, Boolean& usedCache, Boolean asyncWrite, Boolean inRetry)
at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method)
at System.Data.SqlClient.SqlCommand.ExecuteReader(CommandBehavior behavior, String method)
at System.Data.SqlClient.SqlCommand.ExecuteDbDataReader(CommandBehavior behavior)
at System.Data.Common.DbCommand.System.Data.IDbCommand.ExecuteReader()
at NHibernate.AdoNet.AbstractBatcher.ExecuteReader(IDbCommand cmd)
ClientConnectionId:8e49ad53-df84-494a-a067-b1a443a562ec
Error Number:50000,State:1,Class:16
2018-10-08 05:12:29,486|ERROR|NHibernate.Util.ADOExceptionReporter|BailmentAsset with matching Engine Number already exists!
The transaction ended in the trigger. The batch has been aborted.|(null)|18|
2018-10-08 05:12:29,486|INFO |Application|api/v{api-version:apiVersion}/invoices/CreateInvoice POST : response : {
"Success": false,
"ErrorMessage": "Account could not be created for Invoice number: 0090328322; Reason: The Bailment Asset could not be saved as it has the same Engine Number as an existing bailment asset; VIN/HIN: 12380238104191; Asset value: $4,139.00\r\n",
"DocumentNumber": null
}|(null)|18|

Tags (1)
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Splunk Observability Metrics Cost Optimization

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...