No, there is nothing that you can do. You indexed more than your license. There is no way to "unindex" data.
However, if you had multiple license pools, and another pool had available license, you could shift the license between pools and make a pool violation go away.
But if your total license is 10 GB and you indexed 11 GB - you will get a violation.
The important question is "why did this happen"? Splunk has some built-in reports that help you examine your license usage. I would take a close look at those and see if you can identify the reason that you are over quota. In Splunk 6, you can find the Splunk License Usage Report View under Settings > License
If you are using an older version of Splunk, there are a number of apps and reports that will help you break down your usage. I recommend the Splunk on Splunk app (SOS) for all versions of Splunk.
If you can't figure it out, or need help deciding what to do next, please
ask more questions in this forum
open a support ticket
No one wants to get enough violations to lock up their Splunk search!
Hopefully, this was an anomaly and won't happen again anytime soon. But you should do your research and be sure...
... View more
You probably need to modify the regex ".+" in the CameraSite field to capture the full name... I usually have to play around with it, but could either be something like
(?P [\w\d\-\.]*) or (?P .*[^ ])
... View more