License violations occur after a series of license warnings, and license warnings occur when your daily INDEXING volume exceeds the license's limit. Getting multiple license warnings and exceeding the maximum warning limit for your license will result in a license violation. With a Splunk commercial license, users can receive five warnings within a 30-day period before INDEXER stops triggering search RESULTS and reports. Users of the FREE version, however, will only receive three warnings. 

Avoid License Warning:

• Monitor your license usage over time and ensure that you have enough license volume to meet your daily needs.
• Viewing the license usage report in the license master can help troubleshoot index volume.
• In the monitoring console, set up an alert to track daily license usage.

Troubleshoot License Violation Warning:

• Determine which index/source type recently received more data than usual.
• Splunk Master license pool-wise quotas can be checked to identify the pool for which the violation occurred.
• Once we KNOW which pool is receiving more data, then we need to determine which source type is likely to be receiving more than normal data.
• Having identified the source type, the next step is to find out which machine is sending so many logs and the reason behind it.
• We can then troubleshoot the problem accordingly.