I'm putting together some simple dashboards to give our internal users a view into what their servers are sending into Splunk, and how much of it.
I've had pretty good luck using the data that comes out of this search:
index=_internal type=Usage
However, I have noticed some results that look like:
05-09-2013 14:36:23.327 -0400 INFO LicenseUsage - type=Usage s="" st=webseal_server_log h="" o="" i="ZZZZZZZZ-AAAA-XXXX-XXXX-YYYYYYYYYYYY" pool="Company Master Pool" b=38693 poolsz=41875931136
While writing up this question, I came across the explanation of "squash_threshold" and what it does.
So... aside from raising the value to a very large amount, is there another source of figuring out how many bytes a specific forwarder sent in?