In that case I recommend you talk to that expert about how to implement his design.

Create indexes per customer, and change their retention policy when they change their requirements. Delete their index when they cancel their subscription.

Are you a Splunk MSP?

I agree with seperate index concept. But according to our business case we have less no. Of indexes. This design was proposed by splunk expert from Splunk corp.

This is sample example. But this very much needed in my business case for managed security services , I would receive logs from 100s of hosts, where based on some criteria I will be placing logs under certain index name. Later,
I would need to identify and delete the logs of particular hosts (physically)
Or, I would need to move the indexed data of a particular host to another index (this is my use case)

Could you explain more on why you need to move indexed data between indexes?

Different retention policies and/or different access policies = create and put data into different indexes and let Splunk handle the deletion for you. Splunk will "freeze" buckets when either they get too old or the size of the index is too large (both configurable). At that time Splunk will remove the bucket from searching and will delete, archive, or perform another custom action (again based on the index configuration)

Scenario:

I have index structure based on retention policy.
(Eg: 12-Months-Index,24-Months-Index,36-Months-Index,5-Years-Index)

If a customer subscribes for a retention period of 12 months I will direct this customer log to my first index.

Let say, if the customer wants to continue his subscription for another 2 years , I will direct the logs to 2nd index, more over in case if the customer wants his past 1 year also(for a statistical purpose) , I want to move the indexed data from 12-Months-Index to 24-Months-Index directory.

For this purpose , I want the data movement from one index to another index.

NOTE : For providing a managed security services - Splunk ES application is deployed - where there are number of correlation search queries are running , in case if i separate the customer into separate indexes(in that case the index number will get increased), I have a problem of search query performance slow down(index=cust1 OR index=cust2 Or index-custN). To overcome this , we have a setup of indexes based on retention policy.So index number will be less

Also, I need an answer for this,

If a customer leaves in 6 months (where he already subscribed for 1 year retention) - How to physically delete his data from the disk. Since Index-12-Month contains data of other customer too. I need selective deletion

Please advise