I'm thinking of something like the following:
- increase index retention from 2 months to 6 months. (i'm expecting this to increase disk utilization)
- use tsidx reduction (hoping this will reduce my disk utilization to somewhat offset the increase in retention time)
- enable report acceleration
Wondering if I would get 6 months of acceleration???
Unfortunately, frozen data is frozen--Splunk cannot include it in report acceleration summaries, because report acceleration summaries are tied to the indexed data at the index bucket level (they live in your primary index, in other words).
So you have two choices. If you want to use report acceleration over a year's span, you'll need to extend your retention policy from 90 days to a year. But if you can't do that, you might try summary indexing instead. This process summarizes your data in a separate summary index that can have a different retention policy than your primary index, or no retention policy at all.