I set this alert up about a month ago and have received 2 emails from the alert warning of license violations. I can login to Splunk web and look in Manager > License and see that I have not had any license violations.
I would like to get rid of these false positive alerts if possible. Has anybody else had this problem?
It's hard to understand how that search could be wrong. My guess is you're getting alerts for license violations on hosts you don't care about, like forwarders. Try running the search manually to see what comes up, say over the past several weeks?