From previous experience, this is an impossible solution. Best way to calculate is to setup Splunk and turn on the taps for a week, although its noble of you to try 🙂

Some things you can't estimate (or could but the calculator would be so complex it would be quicker to do a PoC);

• Natural spikes in data activity you may not currently be aware of (Hot desking impacts switches, user logons, backups etc)
• Number of users and their roles. A count of users tells you nothing but dependant on their role or group access they may be generating more events by accessing more resources. Also an admin level user may generate more system, security and application events.
• You ask for average data size a day but how do you assess this? Some systems will only allow you to output syslog over UDP which you couldn't estimate without sticking a syslog server or Splunk on the other end... by which point you know your licence needs 🙂
• Bob has a windows 2003 server, its a DC. Phil has a windows 2003 server thats also a DC. Oh but Phil has more audit options turned on, but less users and Bob has a massive network but did a pretty poor job of configuring replication so theres lots of errors.
• More of the above..

I'm not trying to be negative, its a great idea to try and do something like this but as I said, I've previously tried to build estimates but to build the estimate you need to see the natural flow of data over a week to take into account normal peaks and lows, including the number of times someone may enable debug on a switch (not to mention you may have 20 switches/routers all with different log levels).. and in the end just stuck Splunk in and worked it out in real time. This also gives you the advantage that you can enable some nullQueues and edit your inputs to trim the fat.

That's an awful lot of work that you are asking other people to do. Are you sure that it will be generally useful to everyone? Plus I am having some problems making sense of the table that you posted.