We had an index named axo, which is around 3 years old and had around 300 GB of data.
Now we have decided to reduce the index size, by retaining only the latest 90 days of data.
We have updated the "frozenTimePeriodInSecs = 7776000" in /opt/splunk/etc/system/local/indexes.conf.
We also ran btool command (./splunk cmd btool indexes list) to see if there are mutiple .conf files.
But in the btool result as well, we observed "frozenTimePeriodInSecs = 7776000" was correct.
When we do the search, we still see the old data of the past 2 years.
Is the method of reducing the size of index correct?
Do we need to follow any other method? Please guide.
PS: "maxHotSpanSecs = 7776000"
... View more