I am installing Splunk Enterprise Security 4.1.1 and know that this application can gobble up file system space. I have Splunk installed in /opt/splunk (which is typical) and need to know where ES keeps all these files. My idea is to add additional storage to the system and make a symlink to it so there is plenty of space for ES and not killing my root fs.
Well there are a few different components to ES. But mainly, all of your application files will be under the $splunk_home$/etc/apps/ directory. Under here, ES has a lot of components it installs (DA-, SplunkEnterpriseSecuritySuite, SA-, and a few others.) Typically though, these wont grow huge, with the exception of the lookups. (Assets, Identities, Threathlist feeeds, and KVStore..)
Aside from that, if you're not running in a distributed environment, where your indexing tier is different from your SH, your $splunk_home$/var/lib/splunk directory will be where the actual indexes are stored and where the most space is consumed on disk.
I most production environments, we usually see the /opt/splunk/var/lib/splunk folder mounted on NAS/SAN/DAS with a nice large disk pool. The rest can usually reside nicely on the recommended 300gb partition.