Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Number of License violation in a month alert

pdash
Path Finder
‎11-28-2012 11:38 PM

Hi, I want to generate a license violation alert based on the day of month. Say I have 4th violation on 2nd day of month. How do I represent that day and license violation. Currently am trying to implement this:

index=_internal source=*license_audit.log LicenseManager-Audit | bucket _time span=1d as date | delta quotaExceededCount as quotadiff | stats first(quotadiff) as quotadiff | search quotadiff<0 | convert timeformat="%m/%d/%Y" ctime(date)

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-29-2012 01:18 AM

License violations are counted on a sliding 30-day window, the day of month should not matter. To count the number of violations in that window you just need to set your time range to 30 days ago to today.

However, if you really want to match against the day of month you can look at the numeric field date_mday. If that's 2 then you had a violation on the 2nd day of the month.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...