If you're trying to estimate before getting Splunk configure your network devices to syslog to a single server and put that information into a file. If you run that over your busy periods you can use it as a pretty good estimate of the volumes.

One thing to bear in mind is whether you have control over the log level configuration on the network devices. If not then you might need to has some defensive configuration, to filter out DEBUG etc prior to indexing, in case a network engineer changes the level and overwhelms your license, or indeed storage.

It all depends on what they're configured to log...

switches and routers; could be very little - just port up/down, config changed, admin logins - those kind of messages. Sometimes not more than a couple of kB/day. But could also be a lot more if there's any logging of traffic.

for firewalls it's almost impossible to tell. Normally you'd log some/all of the blocked connection attempts. Sometimes you'd want to log the allowed traffic as well. And of course, it depends on what's on either side of the firewall, how many clients/servers etc etc.

So while yannK's advice is the best, I can say that I've seen figures like;

switches/routers: 1-50 kB/day
firewalls: 10 MB - 3 GB/day

Not very helpful, I know. Sorry.

/Kristian

Very hard to guess.
My advice, configure a standard one, to forward syslog to a splunk instance in a single index, let it run a week and do stats of volume per day. Then extrapolate for 1000 time more devices.