The Unix app is the culprit. Even though you have disabled the index where the data should be stored, the inputs are still running and the data is flowing through Splunk, until it gets to the indexing processor which will throw it away.
Indexed data volume in the 4.0.x and earlier versions was calculated before the data was actually written to disk, so even though your Unix app data isn't being kept, it still counts. If you disable the inputs, or the entire app, the violations will cease.
This has changed in the latest 4.1 release, and data volumes are now calculated as the disk is written to.