OK. Time to dig into the gory details of Splunk licensing.
When you have an enforcing license (either a trial, dev or "full" license not big enough to be non-enforcing), each day you exceed your daily ingestion allowance will generate a warning. If you exceed given number of warnings during a given time period (with a trial version it's 5 warnings in 30-day rolling window; with a "full" Splunk Enterprise license it's 45 warnings in 60 day), your environment will go into a "violation mode".
Most importantly - it will stop allowing you search any data other than internal indexes.
And the tricky question is that even if you add new/bigger/whatever license at this point, it will not automatically "unlock" your environment. You need to either wait for the violations to clear (for some license types) or request a special unlock license from the Splunk sales team.
So tl,dr - if you let your Splunk run out of license, it's not as easy as "I add my freshly bought license" and it starts working again.
