@jiaminyun

If you find this solution satisfactory, please proceed to accept it.

@jiaminyun 

Splunk prioritizes evaluating the total data size in the index against the `maxTotalDataSizeMB` parameter. If the total size exceeds the defined limit, Splunk will begin deleting the oldest buckets, regardless of whether they satisfy the retention period defined by `frozenTimePeriodInSecs`. Conversely, if the data size remains within the specified limit, the system will then assess buckets based on the `frozenTimePeriodInSecs` parameter to archive or delete those exceeding the time threshold. To ensure consistent data retention for a specific duration (e.g., 200 days), it is essential to configure `maxTotalDataSizeMB` to accommodate the anticipated volume of data for the desired retention period.

@jiaminyun  

The priority between frozenTimePeriodInSecs and maxTotalDataSizeMB can be understood as follows:

maxTotalDataSizeMB Takes Precedence: If the index size exceeds

maxTotalDataSizeMB before reaching the time set in frozenTimePeriodInSecs, the data will be rolled to frozen state based on the size limit.

http://docs.splunk.com/Documentation/Splunk/latest/Indexer/Setaretirementandarchivingpolicy