"Correct" is only how you define it. What exactly do you want done? "Purging data" is easy enough, but how much? I assume keep 1 year? jkat54 was right on the money - this has to be done on EACH index. Once changed you have to restart Splunk to make the changes take effect, but when you do they will take effect immediately. Also note "frozenTimePeriodInSecs" is in seconds, "1Yrs" won't work. But if you just meant you'd figure that out and put in the right number, well, that's fine, I just wanted to double-check. I'd not worry much about hot/warm and bucket sizes and whatnot, those honestly are details that probably don't matter much in your case. It's worth noting that it's wise usually to make ONE change at a time and confirm it worked correctly before moving on to the next change. If the bucket sizes and so on still bother you after you've got your retention straightened out, mark this question as answered and create a new question for that issue. ... View more

Makes perfect sense. The current server can function as the indexer and the new one(s) would be the search heads. The best practice when moving from one Splunk server to multiple servers, is to keep the original server as the indexer, as you planned on doing. ... View more