Is it possible that your looking at the compressed version of the log and not the raw size of the log?
Alternatively, have you checked what period of time was indexed on the day you used the 5.5GB of license?
It would be possible that you indexed multiple days of log data within the same 24 hour period and therefore used 5.5GB of Splunk licensing. Perhaps you could query the data with something similar to:
| tstats max(_indextime), min(_indextime), max(_time), min(_time) where sourcetype=opssec
Or, if you know the approximate size of each event (checkpoint logs can be quite consistent), then count the number of events for a 24 hour period in Splunk...:
| tstats count where sourcetype=opssec groupby _time span=24h
That query will need some tweaking but I think you get the point...
Note that Splunk licensing will bill raw data size that is sent via the indexer.