When we want to find some way to get the count of the quota exceed event, we might find this page “Splunk > Wiki : Community:TroubleshootingIndexedDataVolume Troubleshooting Indexed Data Volume”.
Then we could use the following to get the count.
index=_internal source=*license_audit.log LicenseManager-Audit
| streamstats current=f global=f window=1 first(quotaExceededCount) as next_quotaExceededCount by host
| eval quotadiff = next_quotaExceededCount - quotaExceededCount
| search quotadiff>0
But in my case, I only want to know the last value of the quotaExceededCount. So I modified it.
index=_internal licensemanager | stats first(quotaExceededCount) by host
Finally, I would use the quotaExceededCount value to judge is not able to import data.