This thread is rather offtopic for the Development group where it was posted. Anyway...
- Elasticsearch doesn't have a native concept of hot backup nodes. It's possible that you can configure it to place only replica shards on the third node and avoid querying those shards, but it's probably too much work. What problem are you trying to solve?
- I actually thought it was compressed by default. The source document isn't normally used for searches (as long as the fields are stored) so it shouldn't slow down too much.
- Why would 30 GB "obviously" be too much? If the size of the raw log files is 30 GB it's totally possible that this'll require more than 30 GB of ES storage even with compression, depending on how you analyze the logs. Not sure what you mean by your last question about snapshot for a month back.
- Are you talking about ES snapshots, mainly used for backups? If so the answer is no. Data in on-disk snapshots are not available to ES and consequently not Kibana either. If you're talking about something else the answer is that any data that's online in ES is also available to Kibana.