Remark :
Please do not thing that increasing the queue size will resolve this issue permanently.
You want to allow faster speed instead.
256 KBps will allow the FWD to do up to 115Mb per hour.
https://www.google.com/search?btnG=1&pws=0&q=256+kbps+to+mb+per+hour&gws_rd=ssl
So if you are monitoring a very busy instance (like a windows DC), you have to bump or remove the limit.
you can work by increments. By example 1024KBps, then 2048Kbps etc... until you do not see a huge delay in the indexing of the events
or remove the limit (maxKBps=0), and check the results in metrics.log.
If you have no idea of the actual average volume or delay, check this guide :
http://docs.splunk.com/Documentation/Splunk/6.2.3/Troubleshooting/Troubleshootingeventsindexingdelay
... View more