Thanks for this, walkeran. This is a much faster and more flexible solution than the previous. However, it's not totally correct. Your search will only produce results if a single indexer in the pool has exceeded the pool allocation. What is needed, is to find if all of the indexers in the pool combined have exceeded the allocation.
Here is the modified solution:
earliest=@d latest=now sourcetype=splunkd index=_internal type=RolloverSummary source=*license_usage.log |stats sum(b) as usage by pool, poolsz| where usage > poolsz|eval usage = usage/1024/1024/1024| eval poolsz = poolsz/1024/1024/1024
... View more