We are using this search for a Splunk license usage dashboard. it works fine in Splunk 6.1, but when we run this from a 6.3 search head, it gives twice the values.
We switched off the load balancer pointing to the the old search head now have invalid data.
index=_internal source=*license_usage.log* type=Usage | timechart span=1d sum(b) as bytes | eval GB = round(bytes/1024/1024/1024,5) | fields _time GB
Thanks,
Anil.
Do you have a license master in your environment? Does Splunk's Licensing dashboard display correct results? Have you looked at the raw events from your search to see if there are unexpected hosts/sources/etc included in the data that might explain the skewed numbers?