Precedence of log retention configuration

Deployment Architecture

Hi Team,

Our Splunk License is going to get expired and we are working to get a new license .Our current environment is a clustered one with 12 indexers ,1 SH ,1 CM and 1 DS . However we have decided to stop the ingestion of data and would like to keep Splunk intact only for searching of the already indexed data . As a result we are planning to move to Free-license for time being . We do understand in free license clustered model wont work and each splunk instance become standalone but we are okay to perform the search on individual indexer if required . However our concern is the log retention configuration is currently placed in the following directory in all of the indexers that is /files0/splunk/etc/Master-app /_cluster/local/indexer.conf , will this still have higher precedence over /files0/splunk/etc/system/default/indexer.conf or do we need to make changes ?

Get Updates on the Splunk Community!

Precedence of log retention configuration

distributed search

indexer clustering

search peer

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

Precedence of log retention configuration

distributed search

indexer clustering

search peer

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem