We are currently on Elasticstack and I've been charged with comparing to Azure Sentinel. Sentinel pricing is based on size of logs ingested. I can query for index sizes but I believe those include the parsed metadata as well as the original log and I'm not certain what kind or if we have any compression enabled.
Is there a way to determine the size of the raw logs we are currently ingesting or is there a common ratio between the two?