If you're just interested in yesterday's license usage and prefer to get it from the files, rather than by querying splunk. Look at the lines in those files that contain type=RolloverSummary . Those lines occur right after midnight and contain the bytes (b) ingested in the past day. If it is a single instance with a single license stack, there should be 1 event per day like that.
And that may also explain why you were getting weird results, as the license_usage.log contains (at least) 3 different types of events:
- Usage: every minute one event per index/source/sourcetype/host combo with bytes (b) ingested in past minute
- RolloverSummary: daily summary as described above
- SlaveWarnSummary: something else, not containing license usage info
So if you sum the b field, without taking into account those different types of logs, you will be summing 'live' usage logs together with the daily summary.
... View more