I only use one pool that contains my entire license (350GB), so I'm not terribly well-versed on license pools... with that said...
I believe the idea with pools is to be able to split your total license among groups at your organization. For example, if you configured your 50GB license as:
10GB for NOC
10GB for Engineering
10GB for InfoSec
10GB for HelpDesk
10GB for Developers
Total allocated: 50GB/50GB
You then point those groups to their own indexers (which are in their respective license pools). When that a certain group violates their license 5 times, they can no longer search their data -- but the other groups are unaffected. This is with the idea that this particular group requires more licensing, so you can juggle pools, or have them procure more licensing from Splunk for their needs.
If you have added all of your indexers to one pool, and this pool has 47GB of your 50GB license, leaving you with 3GB unallocated, each time you boink past 47GB, you will get a violation. Since your entire environment is essentially under one pool, you'll get locked out after 5 violations. You're essentially telling Splunk, "My license is only 47GB". Splunk won't stop indexing at 47GB (causing violations), but will violate you at any ingest between 47GB-50GB (and above, obviously).
If you wanted to "cap" Splunk indexing at your license volume and prevent possible violations, you either have to take a closer look at what you're indexing by blacklisting or whitelisting data, or create an alert that when you hit something like 95% of your license limit, triggers a script to disable indexing until midnight.
... View more