I've noticed that my Splunk searchhead is using more disk space than expected. Traversing through the /opt/splunk directory structure the majority of the data is associated with a number of rt_scheduler_xxxxx directories within var/run/splunk/dispatch.
If you have real-time alerts running, these are probably the files associated with those alerts.
You might be able to reduce the disk usage by changing the default saved TTL (time to live) in limits.conf, but I am not sure that will work for this problem.
But perhaps a better way is to limit the role that is running these searches. If you just look at the Settings->Searches on your search head, you can probably figure out the user, and by extension, the role. You can then cut back the disk quota for that role.
On the other hand, you may find that this is actually important data that is necessary for your alerts to work properly.