Yes, you can change retention settings for your indices at any time. If you reduce it, Splunk will start rolling off data based on your index configuration.
If you increase it, buckets will be kept longer, according to new retention settings. In this case, make sure you have enough storage across your indexing tier to maintain the longer data retention.
- the change requires a rolling restart of your cluster
- if you decrease retention, Splunk will process all buckets to determine which ones should now be archived/deleted. This may take a while, but should not have material impact on indexing and search otherwise
If we decrease retention - shall this free some disk space?
For example - we have accumulated data for 5 years and now want to set max. retention time to 2 years.
So, if we will set frozenTimePeriodInSecs to two years - will that remove any older buckets off the disk?