Splunk has indexed more data than our paid license quota, resulting in a license violation notice. We need to figure out which index/source type has lately received more data than the average daily data volume. We can look up the allowable quota for each pool in the Splunk licensing master and find the pool where the violation happened. We must determine the top source type for which we are receiving more data than normal once we have identified the pool for which we are receiving more data. Once the source type has been determined, we must determine the source machine that is providing a large number of logs, as well as the underlying reason, and resolve the issue accordingly.