I just upgraded from 6.5.6 to 6.6.5, and some searches I was doing in my personal dashboard stopped working.
Through 6.5 I've been using some RT searches to watch the top 10 sourcetypes getting indexed over the past hour. These searches are based on some I found in the old Deployment Monitor app, and start by searching "index=_internal source=license_usage.log type=Usage", then breaking down the results so as to create a stacked area chart. One dashboard panel was broken down by ST, the other by host. Using these I could contact one of my users and note that they were sending an unusual amount of events, in case they weren't aware of that.
Now that I'm running 6.6, those searches don't return any results, as the license usage is being tracked in the license_usage_summary.log file, which is forwarded to the _telemetry index, as I learned looking at the searches in the Monitoring Console. I have looked through the MC, but so far haven't found any panels that I can borrow from. In the License Usage choices under Indexing, the only choices I have are either Previous 30 Days or Today. In Previous I can split by ST, but not in Today, so it won't meet my requirements for ST usage anomalies.
Does anyone have a suggestion for how to monitor the highest ST usage over the past hour or so?