Hi guys,

So I've noticed that when we go into the monitoring console and view the license usage over the previous 30 days, it works fine as is. However, if I change it to split by index/sourcetype/etc, the figures change drastically and are no where near correct.

For example, say our daily license is 300gb, it says that ONE of our indexes used 570gb that day, not to mention our other 8 or so indexes.

We have a search head cluster that can run this search:

index=_internal source=*license_usage.log type="Usage"
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h)
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s)
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)
| bin _time span=1d
| stats sum(b) as b by _time, pool, s, st, h, idx
| timechart span=1d sum(b) AS volumeB by idx fixedrange=false
| join type=outer _time [search index=_internal source=*license_usage.log type="RolloverSummary" earliest=-30d@d
| eval _time=_time - 43200
| bin _time span=1d
| stats latest(stacksz) AS "stack size" by _time]
| fields - _timediff
| foreach * [eval <>=round('<>'/1024/1024/1024, 3)]
| fields - "stack size"
| addtotals

and get the correct figures for license usage by index/sourcetype/etc. But the monitoring console's figures don't match when using this search.

I think our license master sends it's internal logs to our indexers so I don't understand why the mc can't query it but the shc can? Anyone got any ideas? I'm not too clued up on how all the license usage stuff works so if anyone has a better understanding, some explanations would be appreciated!

Cheers!