Need to understand how retention works ( _time and Indexed time )
If I have set FrozenTimePeriodInDays = 30
Event: Suppose I dont have date in my events like below
Event: Identity "32020" , Sys "123" , location "USA" , Region :Asia" , Type :Balance"
If i run DB Query at : 30-1-2019 at 3.30 AM
As per my understanding if event is not having date , it would take Index time, since query run at 30-1-2019 at 3.30 AM, it will show date in events as below
Event in Splunk: 2019-1-30 4:00:14, Identity "32020" , Sys "123" , location "USA" , Region :Asia" , Type :Balance"
So as retention period is set to 1 month , above event which is generated today will get delete or archive after one month which is 30 Feb
Incase if there is date in event like below
Event in Splunk: 2018-1-30 4:00:14, Identity "32020" , Sys "123" , location "USA" , Region :Asia" , Type :Balance"
If i run DB Query At : 30-1-2019 at 3.30 AM
As retention period is set to 1 month , in this case if i run query at : 30-1-2019 at 3.30 , kindly correct me here if am wrong data will not come in splunk as it will check event date with todays date , and see if it is more then 1 month then it will not Indexed data.
... View more