Honestly, I think it's far more likely for the vulnerability to appear some minor API endpoint somewhere then the public facing webservers. Or in our case, a third party app that's installed on the servers to monitor logs. In other words - it's a storm that will need to blow over, and there isn't a lot the end user can do about it.
What sort of hardware do you build your Splunk boxes on? My company runs a managed service based on Splunk and historically designed the boxes around storage rather than Splunk performance (each box had 27tb, but used slow 7200rpm drives in a RAID5 array). I'm in the process of designing a new system that will be Splunk-foward for the customers who need less storage, but better performance for queries and reporting. Splunk needs lots of disk IO for that.
My indexers will be a Dell 720 with 48gb RAM and 16 1.2tb 10k rpm drives in a RAID 1+0 array. The Search Heads will be the same box, but with 4x 800gb SSD in a RAID 1+0 array. For long term storage, we're going to use an NFS mount with the original boxes (720s with 27tb storage and 24gb RAM), where raw disk IO isn't important. The Search Head will talk to the indexers over 10gbBT, incoming logs for the indexers will come in via a 2nd 10gbBT, and user access to the Search Head is over 10gbBT. Management access and indexer-to-archive will each have their own dedicated 1gbBT links.
Believe it or not, some of my Splunk-savvy customers need that sort of system to get the performance they demand. The one customer driving this is excited about the initial design. It'll actually be cheaper for them, hardware-wise, than the existing estate which requires more of the older boxes to keep up with their Splunk needs.
BTW, I'm going to start working on a Splunk Certified Architect cert in a few weeks.
ETA: The new design is modular. If we need more archive, just add an archive server to the network and configure NFS, diddle some scripts, and away you go. If more indexing capacity is needed, just add another indexer. Previously, you had to replace and entire box and migrate Splunk the archive data, etc.
Chris