Thank you for your replay.

Just to clarify here is an example from indexes.conf from master server with frozenTimePeriodinSec at the bottom: 

[demisto_poc]
homePath = volume:ssd/demisto_poc/db
coldPath =  volume:sas/demisto_poc/colddb
thawedPath = /splunk_thawed_data/demisto_poc/thaweddb
homePath.maxDataSizeMB = 1000
maxTotalDataSizeMB = 10000
repFactor = auto
frozenTimePeriodInSecs = 48384000

Could you tell me if there is no correlation between those settings that might cause the issue? 

I deployed this change two days ago and till today there is no effect when I check the oldest log available on the search heads.

Thanks 

Hi @DawidM,

I don't see anything that may cause the issue. Could you please run and share below search outputs?

Below will show buckets time/size/path info for demisto_poc index. Please run the search using  "All time" timerange;

| dbinspect index=demisto_poc 
| convert ctime(*Epoch) 
| eval rawSizeMB=round(rawSize/1024/1024,2) 
| eval sizeOnDiskMB=round(sizeOnDiskMB,2) 
| table index bucketId startEpoch endEpoch rawSizeMB sizeOnDiskMB state path splunk_server
| addcoltotals rawSizeMB sizeOnDiskMB

 Below will show the frozenTimePeriodinSec setting on Indexers;

| rest /services/properties/indexes/_internal/frozenTimePeriodInSecs

If this reply helps you an upvote is appreciated.

Thanks for clarifying this. I have made a change to the file indexes.conf in the directory /opt/splunk/etc/master-apps/sky_cluster_indexer_base/local on the master server and then I have applied the cluster change with a command:

/opt/splunk/bin/splunk apply cluster-bundle

however there is no affect on search head servers. Should I restart them to start deleting the old logs (5 years)?