Hi, may i know how to configure Splunk to only retain a rolling window of 3 months of logs data?
I'm completely new to the retention policy so any help or step by step instruction will be greatly appreciated.
If you want to remove data completely from the system after 3 months, then you might need to set frozenTimePeriodInSecs=7776000 in indexes.conf
Please refer below for detailed information
View solution in original post