Thanks all for reply. Than if i apply on my config: [YourIndexName] homePath = $SPLUNK_DB/YourIndexName/db coldPath = $SPLUNK_DB/YourIndexName/colddb thawedPath = $SPLUNK_DB/YourIndexName/thaweddb #Rollover data bucket everyday maxHotIdleSecs = 86400 #Keep data searchable for 180 days frozenTimePeriodInSecs = 15552000 when i specify a maxium life of a host bucket (maxHotIdleSecs), and than Splunk rolls it to warm, my data is also available on Spunk? is data yet searchable? In this case i have always latest 180 days searchable on Splunk? for example on 30 October will the logs available on Splunk until November 30? Thanks for your patience 🙂 Thanks a lot. ... View more

Hi somesoni2, thanks for reply. But in this case everyday bucket rolled, in this case i have always evailable data searchable for latest 6 months. Customer wants a windows of events available for 6 months. Example: If today is 13 April logs must be available until 13 October, tomorrow that is 14 April logs should be available on Splunk until 14 October...and so on! This should work for a window of 6 months. Thanks. ... View more

Hi wookcock, customer wants logs available on Splunk (searchable via web) of exactly latest 6 months. ... View more

Thanks richgalloway!! ... View more