While trying to root cause a huge influx of logs into my instance I noticed that querying my current license usage through the license pool differs greatly when compared to the actual License_Usage.log statistics.
The search below give mes one number
index=_internal source=/opt/splunk/var/log/splunk/license_usage.log type=Usage
| rename b AS bytes st AS source_type idx AS index
| stats sum(bytes) AS total
| eval total=round(total/1024/1024/1024,2)
While this search gives me a number roughly twice as high as the previous measurement
| rest splunk_server= /services/licenser/pools
| search description=auto_generated_pool_enterprise
| table used_bytes
| eval total=round(used_bytes/1024/1024/1024,2)
Does anyone know why I would be seeing the disparity when searching the exact same time frame?
... View more