This one is entirely dependent on your environment.

You mention search head, and you seem to have a lot of events, so I'm going to assume you're in a distributed environment. There is no built-in way of stopping indexing when you hit your license, so you'll have to get creative if you want to achieve this.

First, know what happens when you go over your license. The sequence of events that happen after you go over depend on what type of license you have. Some more info is in the docs.

Secondly, one way you could stop indexing when you get to a certain % of your license used is to create an alert that runs a script that tells an app to stop collecting data. There was a previous Splunk Community post on that.

Thirdly, understand WHY you might go over and how you can fix it. Sometimes your friends in Russia decided to point a scanner on all of your servers and aggressively scan that night and you go over, that's not really something you can predict and fix. It's not always realistic to just get a bigger license, but if you truly need that data then maybe you can fine tune how often you receive it, or possibly turn off a data source that you aren't really using. I'd suggest taking a data inventory to figure out the whats and the whys of a particular data source in Splunk. Ask yourself the following questions:

• What am I doing with this data? (alerts, reports, etc.)
• Why am I collecting it? (use cases)
• Do I need it every 30s? (changing that to 1min cuts your amount indexed in half!)
• If I am collecting it, what can I do to turn that data into a powerful resource?

Hope this helped!