Here is a query which checks every 30 mins the license limit and compare it with the daily indexing limit.
Basically it first calculates the daily ideal index rate for 30 mins based on the daily limit (in my case its 30 GB) and then it calculates last 30 mins indexed data volume.

This query gonna show following columns if last_30_Mins_indexed_Rate exceeds Ideal_Indexed_Rate :

indexed_Data_Volume_Consumed, Current_Time, Hours_left, Ideal_Indexed_Rate, Indexed_Data_Volume_Left, last_30_Mins_indexed_Rate

Query:

index="_internal" source="*metrics.log" per_index_thruput series="main" earliest=-30m | stats sum(eval(kb/1024/1024)) as last_30_Mins_index | eval hour=tonumber(strftime(now(), "%H")) | eval min=tonumber(strftime(now(), "%M")) | eval timeslots=(24-hour)*2 - round(min/30)
| map search="search index="_internal" source="*metrics.log" per_index_thruput series="main" earliest=@d
| eval GB_Indexed = kb/1024/1024
| stats sum(GB_Indexed) as indexed_Data_Volume_Consumed | eval Indexed_Data_Volume_Left=round((30- indexed_Data_Volume_Consumed),2)| eval Ideal_Indexed_Rate=Indexed_Data_Volume_Left/($timeslots$)| eval Current_Time = now()
| convert ctime(Current_Time)
| eval last_30_Mins_indexed_Rate=$last_30_Mins_index$ |eval Hours_left=round($timeslots$/2,2)
|where ((last_30_Mins_indexed_Rate>Ideal_Indexed_Rate) AND (Hours_left<=20 OR last_30_Mins_indexed_Rate>1)) OR ((Hours_left<=2) AND (Ideal_Indexed_Rate<.5))"

Please reply if this helps.