The license usage record shows timestamp of 10:31 AM and you're searching for different time range. I would suggest to run your search (also instead of
index=* use i
ndex=os) for the timerange which include the time shown in license_usage.log.
LOL, not the best screenshot was it? I loaded a more consistent one.
This has been going on for weeks and there is never anything put in os.
Now, could you verify if you've access to
index=os, just to be sure? (check in Role/user setting or run the rest command
| rest /services/authentication/users/<<yourUserName>> )
Strange. So I'm guessing you've tried to run your search with a very wide time range as the data could be historical? Also, are you running this search from appropriate SH which has all the indexers as peers? can you see data for other sourcetypes in index=os?
Also, in your license usage search, the highlighted event has h="", do you get other records with a non-empty h value?
Searching for all time returns nothing for config_file, but I can see other sourcetypes.
Yes, there are valid h values for about 96% of the results in that search.
you should use the license usage report [Settings -- License -- License Usage -- Last 30 days] divided by sourcetype to verify what you indexed in your sourcetypes.
configfile is a sourcetype that you can find in your license usage report?
because in SplunkTA_nix there isn't this sourcetype so I don't know where you call it.