Splunk does not delete individual events - it removes entire buckets when either the size or time limit is reached. When deleting by time, because the whole bucket is deleted, it's important that all of the events in that bucket be old enough to delete. If any event is too new then the bucket will not be touched. Every bucket has two dates (for our purposes, anyway) associated with it - the start date (_time of the first event added) and the end date (_time of the last event added). The end date is one that determines when the bucket can be deleted/frozen. I've seen sites where data is poorly onboarded and has _time values in the future - sometimes by years. When that happens, the bucket will remain in the system until frozenTimePeriodInSecs after that future date passes.
... View more