How are events that don't meet retention policies dealt with in Splunk?

In Splunk, events that do not meet retention policies are typically "frozen" or archived. When an event reaches the end of its configured retention period, it is no longer accessible in the regular search path and effectively becomes frozen. This process of freezing often involves moving the data to a different storage medium, such as a file system, and can be configured to be compressed or archived for long-term storage.

Freezing data is a way to manage the size of the index and ensure that only relevant or recent data is readily accessible for searches and analytics, while still maintaining an option to retrieve older data if necessary. This approach allows organizations to balance performance and storage costs.

The options that suggest sending events to an external server or moving them to a backup location do not accurately represent how Splunk handles events after they exceed retention policies. Instead, the focus on freezing is aimed at both data management and compliance with corporate data retention requirements while keeping the primary operational index performant and concise.