I recently migrated a Splunk instance from a Windows environment to a Linux environment. Since the migration, dashboards on the "License Usage" page have been displaying usage values up to ten times larger than are actually being indexed. There have been no license violations, so this data can't be correct. What might be causing this?
I assume the Splunk instant you migrated is the license master, right? Because if it's a license slave, none of the migration activities matter.
On the license master, please review license_usage.log under SPLUNK_HOME/var/log/ to see what has caused the increased license usage.
You can also use the following searches in Splunk Web to investigate your license consumption issue.
index=_internal component=LicenseUsage* | top type
index=_internal component=Metrics per_index_thruput | eval mb=(kb/1024) | timechart span=1h sum(mb) by series | addtotals