To get an accurate count of number of events. Look at the all events filter, then send it to nDepth. This will give you the number of events per ten minutes. Times it by six to give you events per hour. According to the LEM scability guide, with the default of 2 vCPUs and 8GB memory - LEM can do 1.3Million per hour. If your number is more than that, I would bump up the vCPUs to 4 and memory to 16. There are other metrics to consider, such as size of the temp file and the queuing on the LEM - but that comes into play if you performance is really slow.
Did you apply the recommended default audit policies and the domain controller policies? These are documented in the admin guide. Once this domain policy is applied, use the "auditpol /get /category:*" on the monitored server to see the actual audit policy in place and verify that it matches up with the expected policy pushed by group policy. I have seen many situations where the windows infrastructure was not designed properly and the servers would randomly not receive the GPOs.
If you have WFP (Windows Filtering Platform) turned on - turn it off. It generates lots of noise. It can even crash the LEM. You can tune it out - but the best way to eliminate it at the source.
Previously in a 10 node situation (3 DCs and 7 regular servers), I saw about 120k events per hour.
Look at the type of events coming in, and attack them from the highest occurrence, For example, if the highest number of events involve WFP - eliminate that from the source. If the highest is from a firewall, see if the syslog is set to debug and set it to the appropriate level (notification).
That should get you started and hopefully improve performance. Now getting Reports to work in a timely manner - that's a different story.
Field Engineer II