So I've read this link, but I still have questions.
I'm not trying to index a LARGE amount of data, I'm only using SPLUNK as a front end for OSSEC. I have ~25 windows servers pointing at my OSSEC instance, and then it pointing @ SPLUNK.
If I scale back on the amount of data being indexed (change it dramatically) how long will it take to re-enable my license?
The violaions are on a rolling period. So if you have just recently violated the maximum number of times, you will have to wait until one of those violations roll out of the window. Otherwise, you will need to contact your sales representative or account manager to get this addressed.
It looks like you will have to be violation-free for 30 days before search will be re-enabled. You might check out this documentations: Install a License There is a section at the bottom about violations.