Can I please know how to track the license increase? For example , I have an sourcetype "access_log" which has contributed 500GB of license yesterday but today if the same sourcetype contributed 700GB, I would like to see it in visualization. Right now, I am using below query to find top contributing sourcetypes.
index="_internal" source="*metrics.log" per_sourcetype_thruput | chart sum(eval(kb/1024/1024)) AS GB by series | sort – GB
It is the amount of license usage per day, per source type.
index=_internal source=*license_usage.log* type=Usage
| eval gb=b/1024/1024/1024
| timechart span=1d sum(gb) AS sourcetype_volume_GB by st
Have you looked in the Monitoring Console on your license master for this? You can find historical averages and usage for these. See the documentation here : http://docs.splunk.com/Documentation/Splunk/6.6.3/DMC/DMCoverview