Check out the meta woot! app on splunkbase.
It provides many must have views for Splunk Admins, including a licensing data model that show you license usage per event:
This will allow you to monitor how much license a sourcetype/index are using per event.
Once you narrow it down you can then use a search like this to investigate the raw events
| eval eventSize=len(raw)
| table eventSize _raw
| sort - eventSize
| stats max(eventSize), avg(eventSize), min(eventSize) to keep some high level stats on your data.
I am trying to check the license usage consumption by event pattern and trying to create a report which would say which event patterns are consuming more license.