License violation warning means splunk has indexed more data than our purchased license quota.We have to identify which index/sourcetype has received more data recently than usual daily data volume.We can CHECK on splunk license master pool WISE available quota and identify the pool for which violation is occurring.Once we know the pool for which we are receiving more data then we have to identify top sourcetype for which we are receiving more data than usual data.Once sourcetype is identified then we have to find out SOURCE machine which is sending huge NUMBER of logs and root CAUSE for the same and troubleshoot accordingly.

License violation warning means splunk has indexed more data than our purchased license quota.We have to identify which index/sourcetype has received more data recently than usual daily data volume.We can check on splunk license master pool wise available quota and identify the pool for which violation is occurring.Once we know the pool for which we are receiving more data then we have to identify top sourcetype for which we are receiving more data than usual data.Once sourcetype is identified then we have to find out source machine which is sending huge number of logs and root cause for the same and troubleshoot accordingly.