My Environment: 1 SH, 1DS (CM, LM), 2 INDX`s and 15GB/day License. The day before yesterday logs ingested to Splunk from two days to the License is going very high >daily limit. Yesterday I recognised and disabled the source of logs. So the license was going normal now. When I saw today, the license report is not showing today's usage report. Attaching the snapshots to understand.
please advise how to get back to the normal stage.
I solved the issue; the issue is in the 9996 port from the CM side. This issue will come when the high usage in License consumes in a day the connection will lose in any way. So here found that 9996 port after enabling in the CM end. Note: All servers are bi-directionally open with 8089 and 9996/9997 ports and also check the Telnet, Ping.
To get a better picture of your data, I would suggest using a license usage app. This way you can determine what data is important for what you need. I eventually took the license usage app and made it into a custom app with alerts for when usage is getting "out of control".