Exactly which bytes count as license usage?

I've read various topics on license usage, but I'm still confused about the basic calculation: exactly which bytes count as license usage? A possible answer might be: the number of bytes in the `_raw` field. But I recognize that might be simplistic, or at least incomplete. My own - possibly faulty - experiments indicate that "number of _bytes_" _is_ simplistic, at least in the following regard: `len()` appears to count multibyte UTF-8 characters as 1, as I'd hope. So, "number of _characters_", then, depending on the character set encoding used by Splunk to interpret the length of a string. The recent Splunk blog post "[What size should my Splunk license be?][1]" includes the following command in a search: eval evt_bytes = len(_raw) The naming of that field - specifically, the trailing term `_bytes` - makes me think that I might be wrong about how `len()` treats multibyte characters. However, I'm unsure, and - with apologies to the blog post author if I've missed it - the blog post doesn't describe, whether the `b` field from `index=_internal source=*license_usage.log type=Usage` is simply a total of `evt_bytes`, or includes other bytes, or is not based on `len(_raw)` at all. For example, if I send Splunk the following JSON-formatted event via TCP: {"time":"2016-05-20 09:00:00.000","myfield":"myvalue"}\r\n (where `\r\n` represents two bytes: a "carriage return/linefeed pair") consisting of 56 bytes (if you include the trailing `\r\n`) then what exactly is this event's contribution to license usage? 56 bytes? Or 54 bytes (if the `\r\n` is not included)? Or a higher number, to account for Splunk internal field values associated with this event? While I'm asking (with apologies if readers think this should be a separate question)... if I send the same event via the HTTP Event Collector: {"time":1463734800,"event":{"myfield":"myvalue"}} then do I save on license usage by having the time stamp as metadata, rather than in the event data (that becomes the `_raw` field)? Before asking this question, I considered performing my own tests, indexing single events (via TCP and HEC) into brand new indexes, and then looking at the corresponding `b` field values in the log file. I might still do that, but I have limited time, and anyway, I'd like to know what the figures _should_ show, so that, if I do these tests, I can confirm or deny that (or, more likely, figure out where I've gone wrong in my testing :-) ). [1]: http://blogs.splunk.com/2016/05/06/what-size-should-my-splunk-license-be/