Hi,
I took a search that runs on the license manager, and moved it over to our search-heads, so that customers can have reports/dashboards available to them. On the license manager, it looks correct - showing 7 days of data. The license manager forwards it's data to our indexes (and it has for some time). We recently added a new license pool, and I'm adding some reports for this customer. On the license manager, I get 7 days worth of data, but on the search-head, it only shows 2 days. I have no idea why. My search is listed below. I also tried it without the "set_local_host" macro.
index=_internal [`set_local_host`] source=*license_usage.log* type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx | search pool="PWI License" | timechart span=1d sum(b) AS volumeB by st fixedrange=false | join type=outer _time [search index=_internal [`set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-30d@d | search pool="PWI License" | eval _time=_time - 43200 | bin _time span=1d | stats latest(poolsz) AS "pool size" by _time] | fields - _timediff | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]
index=_internal source=license_usage.log type="Usage" earliest=-7d@d latest=now | rest of the query.
Sounds like the Search Head may not be searching across the same data set (indexers). I would check this two ways:
dispatch.stream.remote.<indexername>
listed?