I have a few questions on how splunk sees and displays the license warning counts. Yes if you go over your pool size then that equals a warning count. However, several instances I see some conflicting information like when I add a new license that is bigger than the previous one, I would think the warning count would reset but it doesn’t.
I also have a search that looks at the license usage.log and shows me how many times I have went over my size in the last 30 days. This also has different counts than what is shown in the warning count section.
The final weird issue I see is when I had a sever warning count at 44 but a week later within any changes, the number decreased to 37. What’s causes so many different numbers with the Splunk licenses