I want to freeze all data older than 90 days.
My /opt/splunk/etc/system/local/indexes.conf file looks like this
rotatePeriodInSecs = 60
coldToFrozenDir = /logs/frozen
maxTotalDataSizeMB = 400000
frozenTimePeriodInSecs = 7776000
But I still have data that is up to six months old. Can someone suggest other places to look to correct this?
See below link which explains various properties involved in setting up the retention policy and bucket life cycle.
Basically, you need to setup maxHotSpanSecs and maxWarmDBCount to values so that your data bucket is getting rolled over to frozen. It will be deleted only after it's moved to frozen state.
First, verify the value stuck by running splunk cmd btool indexes list main.
splunk cmd btool indexes list main
Then, check if the bucket containing that old data happens to also contain newer data. It'll get rolled when the youngest event is older than the frozen period.