Hi,
I'm currently researching on the use of Retention Policy on Splunk by setting it to only keep data for 6 months. I will most likely be editing `frozenTimePeriodInSecs` attribute in `indexes.conf`. The attribute is currently set to default (which is 6 years I think).
I have a few questions regarding the implementation of the retention policy and I can't seem to find the answer online.
May I know after I make the changes to indexes.conf and restart Splunk.
**- Does the change take effect immediately?
- What happens to the old data (eg those older than 6 months), will the old data be deleted immediately after restarting?
- Do I have to create the indexes.conf file, or is it already stored inside the server?
- Does this change affect all the buckets, or only those older data in the warm/cold buckets?**
I'm using Splunk to do some automated housekeeping for my log data and I wish to know more about it.
Any help will be greatly appreciated. Thank you.
↧