Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Number of License violation in a month alert

pdash
Path Finder
‎11-28-2012 11:38 PM

Hi, I want to generate a license violation alert based on the day of month. Say I have 4th violation on 2nd day of month. How do I represent that day and license violation. Currently am trying to implement this:

index=_internal source=*license_audit.log LicenseManager-Audit | bucket _time span=1d as date | delta quotaExceededCount as quotadiff | stats first(quotadiff) as quotadiff | search quotadiff<0 | convert timeformat="%m/%d/%Y" ctime(date)

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-29-2012 01:18 AM

License violations are counted on a sliding 30-day window, the day of month should not matter. To count the number of violations in that window you just need to set your time range to 30 days ago to today.

However, if you really want to match against the day of month you can look at the numeric field date_mday. If that's 2 then you had a violation on the 2nd day of the month.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...