Hi, may i know how to configure Splunk to only retain a rolling window of 3 months of logs data?
I'm completely new to the retention policy so any help or step by step instruction will be greatly appreciated.
Thank you.
If you want to remove data completely from the system after 3 months, then you might need to set frozenTimePeriodInSecs=7776000 in indexes.conf
frozenTimePeriodInSecs=7776000
Please refer below for detailed information
https://wiki.splunk.com/Deploy:BucketRotationAndRetention http://docs.splunk.com/Documentation/Splunk/latest/Indexer/Setaretirementandarchivingpolicy
View solution in original post
