Hi, I want to generate a license violation alert based on the day of month. Say I have 4th violation on 2nd day of month. How do I represent that day and license violation. Currently am trying to implement this:
index=_internal source=*license_audit.log LicenseManager-Audit | bucket _time span=1d as date | delta quotaExceededCount as quotadiff | stats first(quotadiff) as quotadiff | search quotadiff<0 | convert timeformat="%m/%d/%Y" ctime(date)
License violations are counted on a sliding 30-day window, the day of month should not matter. To count the number of violations in that window you just need to set your time range to 30 days ago to today.
However, if you really want to match against the day of month you can look at the numeric field date_mday. If that's 2 then you had a violation on the 2nd day of the month.