Solved: License violation alert giving false positives

cdowin · ‎02-14-2011

Howdy. I set up Splunk to alert me of license violations for the amount of daily data my license allows. I set up an alert using the search supplied here:

http://answers.splunk.com/questions/207/how-do-i-alert-on-license-violations

I set this alert up about a month ago and have received 2 emails from the alert warning of license violations. I can login to Splunk web and look in Manager > License and see that I have not had any license violations.

I would like to get rid of these false positive alerts if possible. Has anybody else had this problem?

Thanks, Erik Paulsson

zliu · ‎04-25-2011

The search query has been modified. Please check that link again.

http://answers.splunk.com/questions/207/how-do-i-alert-on-license-violations

View solution in original post

zliu · ‎04-25-2011

The search query has been modified. Please check that link again.

http://answers.splunk.com/questions/207/how-do-i-alert-on-license-violations

Masa · ‎02-25-2012

Here is another useful link;

http://wiki.splunk.com/Community:TroubleshootingIndexedDataVolume

jrodman · ‎02-16-2011

It's hard to understand how that search could be wrong. My guess is you're getting alerts for license violations on hosts you don't care about, like forwarders. Try running the search manually to see what comes up, say over the past several weeks?

License violation alert giving false positives

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

SignalFlow: What? Why? How?