From Splunk Wiki
How to obtain Daily Peak Volume on Windows Event logs for License purchase
To get an estimated (not exact), you can export a security event to a file and see the size of it.
Splunk indexing event viewer:
At startup, Splunk captures all the events that it finds in the Security, Application, and System Event Logs (and others). Splunk indexes events that arrive after that as they are logged in Event Viewer. Assuming there are 50 Domain controllers and all of them are processing same thing and equally busy, we can take one of the servers and see its average Daily Peak and us that to calculate the value for the others.
As an example we will use WinEvt:Security:
Do Action>Save log as… and save a security event to a txt file. By default, the event is saved in EVT format. It is important to save it as TXT. The size of an EVT is larger than TXT, therefore it will be larger than you expect.
There is a significant difference between Action>Export List… vs Action>Save log as…
Export List…: will just export the list of events:
Information 3/6/2009 1:49:25 PM Splunk Utility None 1 N/A EK
Save log as…: This will export the detail of an events.
3/6/2009 1:49:25 PM Splunk Utility Information None 1 N/A EK The description for Event ID ( 1 ) in Source ( Splunk Utility ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: You need to restart the Splunk Server for your changes to take effect
Once it’s exported, save it, right-click, and select Properties to see the file-size.
Measuring event on daily peak
Filter your events in View>Filter.
- In From, select Events On and set a date 1/9/2009 12:00:00 AM.
- In To, set Events On to 1/9/2009 11:59:59 PM.
Export this subset of events to a text file and view the properties of the file to see the size.
Then, multiply this value across your 50 domain controller and this should give an approximate total of:
- the initial total security events from 50 domain controller
- your daily security events from 50 domain controller