I'm running the following search:
index="_internal" source="*license_usage.log"
The problem is that all hosts report received bytes, eventhough there are no events received. The lowest number I have seen is 134 bytes (b=134). Does anyone know why I see these and how I can report on the real number of indexed bytes? Thanks!
The strange thing is that I tested the same on another deployment and on this I won't get any of these entries in license_usage.log if no events occur, which is what I expected. On the initial deployment I see every minute a new event in license_usage.log with "h" being my forwarder and "b" always showing at least 134 bytes, eventhough I cannot find any events from this forwarder. So where are these bytes going? I should see them in any of the non-internal indexes, right?
you need to group per source sourcetype host indexer, (s/h/st/i) to have useful numbers.
You can check the examples of searches on license_usage there :
http://wiki.splunk.com/Community:TroubleshootingIndexedDataVolume
I've listed some searches on my blog to show the license breakdown by source, sourcetype, host, per index statistics and so on... I would start with running these various searches to narrow down where the actual culprit is...
http://www.joshd.ca/content/splunk-usage-statistic-searches
I would also suggest downloading and using the Splunk Deployment Monitor app as it can provide a wealth of information:
http://splunk-base.splunk.com/apps/22301/splunk-deployment-monitor