I'm having some trouble getting this to work as well,( I only want to save 6 months back)
I've created a indexes.conf and put it in
/splunk/etc/system/local/indexes.conf
And the only line in that file is
frozenTimePeriodInSecs = 15768000.
I've restarted splunk several times, but nothing happens.
What would be the easiest way to remove data older than six months and keep it that way based on what I've done?
Keep in mind I've barely touched Splunk, I just installed it.
Cheers!
... View more