To address a few points..
Side Question -- Answer
Splunk will not move data between Hot/Warm -> Cold -> Frozen based upon the dispatched searches. This done based on retention policies, and with Frozen, with a manual thawing process.
Regarding SSD, in general testing, SSDs deliver better performance in general. More specifically they deliver better performance for sparse searches.
Regarding NFS.. Typically this is good for Frozen and Cold. But anything else, you dont want to go there.
In regards to aging data out, remember Splunk knows whats in the buckets (timestamps / Sourcetypes etc..) So the rolling of buckets based on retention time shouldnt be a huge cpu hit, more disk and controller.
Other then that, its hard to predict search-ability without knowing the search types your users will be doing. Typically in incident response, you are limiting time ranges within a few weeks or days of the known event. So historical searching shouldnt be "all time" searches, but most likely smaller windows. If this is the case, it should be pretty good for performance as long as the deliverable IOPs are their and the SH isnt overloaded from user space knowledge objects and searches...
Mileage will vary..
... View more