Data retention is not based on _time, its actually based on _indextime and max size set for example, if I index below sample data now, 2020-03-02 12:23:23 blah blah Retention time: 6months Maxsize: 100GB then the _time of the event will be 2020-03-02 12:23:23 but _indextime will be 2025-06-25 HH:MM:SS so this data will not get deleted immediately since _time of this event is 5 years old.   ... View more

@woodcock  #Splunk Remote Upgrader for Linux Universal Forwarders It's not working, please see below serverclass.conf even tried by adding targetRepositoryLocationPolicy under serverClass stanza [serverClass:push_force_del_pkg_uf] in the UF still it is copying the app under /opt/splunkforwarder/etc/apps folder but i want it to be in /tmp directory [global] targetRepositoryLocationPolicy = rejectAlways [serverClass:push_upg_pkg_app:app:splunk_app_uf_remote_upgrade_linux] [serverClass:push_upg_pkg_app] whitelist.0 = XX.XX.XX.XX [serverClass:push_force_del_pkg_uf] targetRepositoryLocation = /tmp/ whitelist.0 = XX.XX.XX.XX [serverClass:push_force_del_pkg_uf:app:SPLUNK_UPDATER_MONITORED_DIR]     ... View more