| rest /services/data/indexes | where disabled = 0 | search NOT title = "_*" | eval currentDBSizeGB = round( currentDBSizeMB / 1024) | where currentDBSizeGB > 0 | table splunk_server title summaryHomePath_expanded minTime maxTime currentDBSizeGB totalEventCount frozenTimePeriodInSecs coldToFrozenDir maxTotalDataSizeMB | rename minTime AS earliest maxTime AS latest summaryHomePath_expanded AS index_path currentDBSizeGB AS index_size totalEventCount AS event_cnt frozenTimePeriodInSecs AS index_retention coldToFrozenDir AS index_path_frozen maxTotalDataSizeMB AS index_size_max title AS index
You can only directly set a maximum retention period.
The way to 'set' a minimum retention period is to manually calculate how fast you are accumulating logs and then make sure you have allocated enough disk space to your indexes.
This is found in indexes.conf and is set on a per-index level.
The parameter is called FrozenTimePeriodInSecs and is expressed in seconds. If it does not exist, then the default value of 188697600 is used, which is approximately 6 years.
