Thanks pruthvikrishnapolavarapu,
Your help got me closer to having an apples-to-apples indexed-volume, per day, per License Pool...
I needed:
more ambiguous source
time-range, "Per Start of Day"=psod
formatting to look like whatever Splunk License Manager is doing internally inside /manager/system/licensing
I adapted your example for my env and now I get totals per-pool that match my partners with licenses my-environment hosts:
earliest=-0h@d latest=now() index=_internal source="*license_usage.log" type=Usage
| eval dmy=strftime(_time, "%m.%d.%Y")
| stats values(dmy) AS "As of 0Hour This MonDayYr" sum(eval(b/1024/1024)) AS vol_mb_psod by pool
| eval vol_mb_psod=round(vol_mb_psod,0)
| fieldformat vol_mb_psod=tostring(vol_mb_psod,"commas")
... View more