Hi Team,
We were using Splunk Enterprise for last few years. And recently by May 2019 we have migrated all the data from all index from Splunk enterprise to Splunk Cloud (i.e We have reconfigured the data in Splunk Cloud).
My query is that we have just started migrated the data only during May 2019 but if we search the data for 2015, 2016 ,2017 and so on i can able to see the events in Splunk Cloud for few of the index.
The default retention is 90 days. But how come it holds the data which are very old that is even i can able to see the data from 2013 as well. So how the bucketing system works for Splunk Cloud.
And simultaneously when I have searched the configured data after 90 days as per the retention policy i cant able to see the logs searchable after 90 days but still how come it holds the old data?
Do we have any architecture diagram explaining the mechanism or how it works.
Kindly help to check and update on the same.
... View more