Martin, thanks for the pointer on limiting historic inputs. That will come in handy as we begin our deployment soon.
I also agree that estimating overall volume is tricky as there are SO many variables. My Splunk contact recommended using the Splunk On Splunk (SOS) app (see:http://apps.splunk.com/app/748/) to measure this. I was able to have a 10% sample size during our POV and got some numbers that I hope are in the ballpark. Getting 10% sampling in some scenarios is not practical but it was for me. This tool also looks useful going forward.
Rush2112, perhaps that app could be helpful?
... View more