I need to generate a number of reports about license utilization for different customers, over the past 30 days. Do I need to re-run the past 30 days search every day, or is there a way to run it for one day, and have a history that keeps building? Running it every day for 30 days seems like a waste of resources...
You could enable report acceleration for your report to avoid re-running over old days again and again.
You could use the existing license usage data model or a custom one, accelerate that, and build your 30-day reports off that accelerated data model.
You could run a summary search every day to build the report for yesterday, and run your 30-day reports off that summary index.
The first one is the easiest to build - save the report with a time range of 30 days, check the "accelerate" box, select 30 days, save, done. Splunk does the rest underneath.