I am trying to determine why we keep going over our license limit every so often, and pinpoint the sourcetype using up the most GB. However, when I switch the 30 day license usage graph to split by sourcetype, the bars never reach their actual full size.
For example, on June 18th we went over our 30GB limit by about 5GB(so 35GB total), however when I split by sourcetype, the total GB for June 18th is not even 10GB. This is using the manager/search/licenseusage, not the app
You can see our limit line in both pics(the dotted line). The first solid line in the split graph is 10GB.
Is this normal? Is there a better way to help figure out sourcetype license usage? I am trying to "clean house" of unneeded indexing, but have been having little luck so far.
Do you have a large number of low-volume sourcetypes making up most of your total volume?
The per-X logging of license info only logs the top Y number of values, so there will be inaccuracies. How large these are depends on your distribution of volume over few large sourcetypes or many small sourcetypes.