I recently updated the universal forwarders for all windows servers (6.1.3), installed the updated Splunk_TA_windows app and my log indexing went through the roof! I was getting somewhere between 10-15 GB of logs per day on each of my two instances. Now If I don't "pull the switch", I can easily go over 25GB.
What can I do to slow down the logs so I don't keep getting license violations (other than getting a new license)?
You need to compare whatever inputs.conf was configured on your Windows servers before, with whatever it is now, and determine what inputs are different. I would pay particular attention to any perfmon entries in the inputs.conf, and what granularity those are set to. It is entirely possible that the updated Splunk_TA_windows app may have a new set of inputs that the old one did not, and perhaps those are "enabled" by default.