Kobi if you are happy with the infos provided please accept the answer for those who might have same question.Thanks

normally intermediate forwarder send his metrics.log but license usage is all on the indexers

yep in my case data will be discarded on the indexer level as my setup is : ufw --> Intermediate forwarder --> splunk indexer , I guess that the query should be run against the Intermediate forwarder ?

not sure about that can be empty but for forwarders you can use this search : index="_internal" source="*metrics.log" group=tcpin_connections | eval gb=kb/1024/1024 | timechart partial=f sum(gb) as GB by sourceHost

this is no usefull to measure by forwarder as some data might be discarded at indexer level

OK I see the originator is also null in my case the only clue i see is the "st" field which I assume is sourcetype? I can get some info from it , is there any particular reason why source and source_host woul report NULL ?

there is another field named "o" as originator you can add it in your initial search and filter your search to only show the NULL source_host events:

index="_internal" source="*license_usage.log" | rename s as source b as bytes h as source_host o as originator | search source_host=""

Thanks! now I can see my source_hosts , I noticed that 90% of my usage volume comes from a NULL source and a NULL source_host is there any thing I can do to drill down and identify this source ?

Thanks
Kobi

the deployment monitor app /en-US/app/SplunkDeploymentMonitor/license_info give you all those infos

they will not show as source as they are not source but they will as h:
index="_internal" source="*license_usage.log" | rename s as source b as bytes h as source_host | stats sum(bytes) as bytes by source, source_host | eval Gbytes = bytes/1048576/1048576 | fields source source_host Gbytes

Thanks for the reply , can I do the same for my splunk inputs ? I have 2 splunk tcp inputs (9997,9998) but they are not seem to be treated a sources is there any way to count license usage by splunk tcp input ?