Ah yes, the license_usage.log events may do what you need. Try this:

index=_internal source=*license_usage.log type=usage (st="WinEventLog:Security" OR st="WinEventLog:Application" OR st="WinEventLog:System") (idx=index1 OR idx=index2 OR idx=index3) | eval GB = b/1024/1024/1024 | eval st_idx = st.": ".idx | timechart span=1d sum(GB) as "Total GB used" by st_idx

i was told not to use the metrics.log because it is not accurate and truncates data after top 20 hosts.i think adding the limit function should resolve that.
using license_usage gives 2 colums for each WinEventLog type(diff vals) y?.Also how do i tell it what indexes to query? seems like it takes all the indexes into account.
thanks in advance....
index=_internal source=*license_usage.log type=usage st="WinEventLog:Security"OR st="WinEventLog:Application"OR st="WinEventLog:System" |eval GB = b/1024/1024/1024| rename st AS sourcetype |timechart span=1d sum(GB) AS "Total GB used" by sourcetype

I see... I don't think the regular metrics logging lets you split by both index and sourcetype, only one or the other. You could try and compute that like this:

(index=1 OR index=2 OR index=3) (sourcetype=A OR sourcetype=B OR sourcetype=C) | eval length = length(_raw) | stats sum(length) as byte by sourcetype index | eval mb = byte / 1048576

That'll run for a while though.

Hi Martin, thank you very much. im almost there!
so the series=A/B/C query works. Only issue is we have over 20+ windows indexes and they all collect data for these specific sourcetypes series=WinEventLog:System/Security/Application
However, i only want this data from index=1, index=2, index=4
index=_internal source="*metrics.log" index=1 group=per_sourcetype_thruput series=WinEventLog:System OR series=WinEventLog:Security OR series=WinEventLog:Application| timechart limit=0 minspan=1h per_hour(kb) by series
doesnt seem to work

Add limit=0 to the timechart to see more than ten sourcetypes, or add series=A OR series=B OR series=C to the base search to just see your three interesting sourcetypes.

The indexes used don't matter, this shows throughput per sourcetype over all indexes.

Hi Martin, i do have access to _internal.
thanks but that only gives me top 10 sourcetypes, what if i want sourcetype A and B and C, which exist in lets say 3 different indexes X, Y , Z.
bascially i want to get the size of the windows security/system/event logs on a daily basis. These are all being captured as different sourcetypes from a few different indexes.

Do you have permission to read the _internal index? If you do then it'd be interesting to find out why your SoS charts are broken.

As for getting that manually, you can see throughput per sourcetype using this query taken from SoS:

index=_internal source="*metrics.log" group=per_sourcetype_thruput | timechart minspan=30s per_second(kb) by series

thanks Martin,
im trying to find where to exactly get this info. seems to me the charts are broken on my sos app.
anyway i can integrate that logic into the search above?