I am looking for something similar, I want to get a breakdwon by not only sourcetype, but by server.

Ideally, I want a chart that has:

Sourcetype Hostname Events KB

I would take something that just has events, and not KB as well.

Here is a search you may find helpful, it does not 100% correlate to license usage, but you can get it pretty close by filtering out internal sourcetypes.

index=_internal sourcetype=splunkd source=*metrics* "group=per_sourcetype_thruput" NOT series="filetrackercrclog" NOT series="splunk*" NOT series="audittrail" NOT series="scheduler" NOT series="searches" NOT series="stash" | eval events=eps*kb/kbps | stats sum(events) as events sum(kb) as kb by series | eval events=round(events,0) | eval kb=round(kb,1)

This search gives you the event count and kb by series (in this case series means sourcetype).

Note that this is assuming your are on the latest 4.0.x release or any 4.1.x release, otherwise you should take out the NOT series="stash" part because summary indexing does count towards your licensing in older releases.

I've run into issues trying to do meaningful things with the kbps metric for 2 reasons:

• if you are looking at long-term analysis, you can't do much with it because it's already an average, so doing avg(kbps) further skews your number.
• Metrics are only recorded for series that are part of the top 10 active series. So it's likely that a sourcetype that varies in volume during the day will drop out of sight until the volume level increases again. Normally this isn't too big of a deal... (BTW, you can change the number of series to capture in limits.conf, look for the metrics stanza.)

If you are simply trying to get a view of activity at this moment or look for spikes, then kbps can be helpful, but for longer-term analysis I recommend looking at actual data indexed in terms of kb or events.

I wish that splunk gave you some additional metrics that indicated what was counting towards your license usage, but I don't think that information exists (other than the daily LicenseManager-Audit message). I think this is as good as it gets in the current release.