Hi,

I have the search below, which provides license pool violations information. I want to take this information and generate a report that shows only the violations for the past 7 days. Unfortunately, the "Warning Days - (Soft)/Hard" field contains the dates, and it puts them all into one event. Is there anyway to break these out?

Search:

| rest splunk_server=local /services/licenser/messages 
| where (category=="license_window" OR category=="pool_over_quota") AND create_time >= now() - (30 * 86400) 
| rename pool_id AS pool 
| eval warning_day=if(category=="pool_over_quota","(".strftime(create_time,"%B %e, %Y").")",strftime(create_time-43200,"%B %e, %Y")) 
| fields pool warning_day 
| join outer pool 
    [ rest splunk_server=local /services/licenser/slaves 
    | mvexpand active_pool_ids 
    | eval slave_name=label 
    | eval pool=active_pool_ids 
    | fields pool slave_name 
    | stats values(slave_name) as "members" by pool] 
| join outer pool 
    [ rest splunk_server=local /services/licenser/pools 
    | eval pool=title 
    | eval quota=if(isnull(effective_quota),quota,effective_quota) 
    | eval quotaGB=round(quota/1024/1024/1024,3) 
    | fields pool stack_id, quotaGB] 
| stats first(pool) as "Pool" first(stack_id) as "Stack ID" first(members) as "Current Members" first(quotaGB) as "Current Quota (GB)" values(warning_day) AS "Warning Days - (Soft)/Hard" by pool 
| fields - pool 
| where Pool = "FMD License" 

Here's the output: