I have a great amount of confidence in the clustering -- that is why I am using it. My "don't trust" comment was too harsh.
But, NOWHERE in my system am I comfortable saying that I have no external backups.
Being able to archive off my log data to a completely separate system is a safety net we need.

I can understand that but to be clear we are saying a fully redundant second site is not enough redundancy? AND full VM backups? (not sure vm backups are work for you tbh, maybe for config directories, but for all the data? these VMs will get big)

Still I can appreciate the idea, so to address this, I recommend looking at data roll.

You could archive as soon as the bucket rolls to warm (or any timeframe you wish) and roll it to a hadoop instance or amazon s3 bucket, or Isilon NAS, etc- basically anything that can run s3). And it is identical to rolling to frozen, as only the journal.gz goes. It even dedups replicated data and has fault tolerance.

Otherwise I'd look at rsync of the warm db to another system...I have my doubts this will scale if you do grow large...or striaght up configure your systems to send directly to an archive as a second data landing zone.

Also, remember the journal.gz is a proprietary file type, so if you roll them to archive, you need to bring em back into Splunk to be thawed, or use the bucket reader app in hadoop.

I am looking less for redundancy (as provided by cluster), and more to be able to take my X# of logs completely out of the system. Disaster recovery scenarios, or malicious user activity.

As for the VM -- I expect the majority of the data to not be part of the VEEAM backup. We are still sizing things, but I would rather go too safe and work backwards than have an issue I cannot get out of.

when you say "the system" do you really mean Splunk? or just the physical system itself?, cause it almost sounds like simply sending a second stream from source directly to archive is what would be easiest. is that possible?

If your are ok with the DR plan to be logs in the format of journal.gz, then yeah data roll or some custom rsync

By "system", I mostly mean splunk/the cluster.
We archive logs from several different groups to intermediate forwarders and finally to our splunk.
We have no insight into what others have, other than what they send via their intermediate forwarders.

so you are ok with it being in the journal.gz splunk proprietary format in the archive? if so, rsync or data roll

I believe that just the journal.gz should be fine. It is a small file, has all of the data i would need to make it searchable again, and can be copied off with no impacts if i wait until it is warm. Splitting to warm+frozen simultaneously would be more fun, but I shall make do.

Thank you for your help here.

Well if you can swing an HDFS or S3 interface data roll technically gives u warm + frozen(archive)!

Any time!

Good on ya for dilligently planjing for the worst!

I was aiming to use frozen to keep my storage size down -- it seems frozen buckets are significantly smaller than warm with the extra files removed.