Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Number of License violation in a month alert

pdash
Path Finder
‎11-28-2012 11:38 PM

Hi, I want to generate a license violation alert based on the day of month. Say I have 4th violation on 2nd day of month. How do I represent that day and license violation. Currently am trying to implement this:

index=_internal source=*license_audit.log LicenseManager-Audit | bucket _time span=1d as date | delta quotaExceededCount as quotadiff | stats first(quotadiff) as quotadiff | search quotadiff<0 | convert timeformat="%m/%d/%Y" ctime(date)

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-29-2012 01:18 AM

License violations are counted on a sliding 30-day window, the day of month should not matter. To count the number of violations in that window you just need to set your time range to 30 days ago to today.

However, if you really want to match against the day of month you can look at the numeric field date_mday. If that's 2 then you had a violation on the 2nd day of the month.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...