Today at 5pm. I triggered my 1st license violation of my 30day rolling period. i am currently at 110% of my 10GB quota. Is there anything I can do between now and midnight to clear this up so I won't get "pegged" ?
No, there is nothing that you can do. You indexed more than your license. There is no way to "unindex" data.
However, if you had multiple license pools, and another pool had available license, you could shift the license between pools and make a pool violation go away.
But if your total license is 10 GB and you indexed 11 GB - you will get a violation.
The important question is "why did this happen"? Splunk has some built-in reports that help you examine your license usage. I would take a close look at those and see if you can identify the reason that you are over quota. In Splunk 6, you can find the Splunk License Usage Report View under Settings > License
If you are using an older version of Splunk, there are a number of apps and reports that will help you break down your usage. I recommend the Splunk on Splunk app (SOS) for all versions of Splunk.
If you can't figure it out, or need help deciding what to do next, please
ask more questions in this forum
open a support ticket
No one wants to get enough violations to lock up their Splunk search!
Hopefully, this was an anomaly and won't happen again anytime soon. But you should do your research and be sure...