How long is the frozen time period set for the securityops index?

The frozen time period for the securityops index in Splunk is set to 90 days. This means that data ingested into this specific index will be retained for a duration of three months before it is eligible for archiving or deletion, depending on your configuration.

Setting the frozen time period to 90 days balances the need for sufficient data retention for security analysis and compliance with storage management best practices. It allows organizations using Splunk to maintain access to relevant security information for investigations, audits, or other security-related inquiries over a meaningful review period. After the frozen time period elapses, the data can either be archived for long-term storage or purged depending on organizational policy, ensuring that system performance is not hampered by excessive data accumulation.

In contrast, shorter periods such as 30 or 60 days might not provide enough historical data for comprehensive analysis, while an excessively long retention time, like 120 days, could lead to unnecessary storage costs and potential performance degradation. Therefore, the 90-day period is typically viewed as a best practice for security operations within Splunk implementations.