What is the easiest way to run a report which shows how much indexing you are doing per host? Also.. and I know this is a hard and variable question.. how much do you typically expect from a Windows host?
I am eval'ing Splunk for a small client. I have the perimeter NGFW exporting its logs to Splunk, 1 exsi host doing syslog.. and 4 Windows servers (2 are DCs) setup with the universal forwarder to send app/system/security logs. The two DCs have AD monitoring enabled.
I would suggest you take a look at the Distributed Management Console in the settings menu of the Web Interface. It should give you the information you need as well as more information regarding license usage in your instances.
This way you don't need to rely on a report that may not be giving you exactly what you are looking for.
index=_internal source=*license_usage.log type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx | timechart span=1d sum(b) AS volumeB by h fixedrange=false | join type=outer _time [search index=_internal source=*license_usage.log type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(stacksz) AS "stack size" by _time] | fields - _timediff | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]
On your Splunk Instance, navigate to Settings>System>Licensing>Usage Report. This is built in to Splunk and would provide multiple slices of license usage. Hope this helps