From a strictly theoretical perspective, you could store your data on any storage your OS can access. After all Splunk uses system calls to access its files so as long as it can open those files, you're "good". But the problem is that not every storage performs equally well hence the rule of thumb about using local storage only. The "slow" storage which can be used for cold storage which is typically less often used means usually still relatively quick HDDs versus SDD recommended for hot/warm storage. Remember that latency in accessing slow storage would have noticeable impact on overall Splunk's performance, not just those searches that access cold data. That's one thing. Another thing is that if you want to reach over the network for data, Splunk process must be able to access the share the data is stored on so you will definitely _not_ be able to do so running Splunk with either LOCAL_SYSTEM user or the default Splunk user. But still, the most important thing is that you should not use NAS or NFS for Splunk storage - there is too much overhead and the latency is too high for reasonable performance.
... View more