Hi there,
A question regarding the retention policy approach in a clustered multi site-cluster two sites with each 3 indexers (replication factor 2+1).
We are planning a retention policy over 120 days and I feel the indexer's attitude towards cold to frozen is still somewhat unclear. Is that true that the cluster master handles the backup handling (coldToFrozen) and thus not every indexer pushes the cold buckets too frozen, otherwise we would have a huge storage space requirement.
https://answers.splunk.com/answers/241066/how-is-bucket-deletion-due-to-retention-managed-in.html
Many thanks!
Each indexer manages its own cycling from cold->frozen (and indeed hot->warm->cold)
The default behaviour of which (if left unconfigured) is to delete the data once frozen.
It is true to say, the CM maintains the process on behalf of the cluster (ie marking buckets as frozen) but each indexer is responsible for removing (or freezing) its own copy of the data