What is the default action when data is frozen in Splunk?

When data is frozen in Splunk, the default action is that the data is deleted. In the context of Splunk’s data lifecycle management, freezing occurs when data has reached the end of its retention period. At this point, data is no longer relevant for search purposes and would generally not be accessible within the typical search interface.

Freezing is an important feature because it ensures that Splunk can manage storage effectively and maintain optimal performance by removing outdated or unnecessary data. When data is frozen, it is removed from the index, making it important to configure retention policies thoughtfully to avoid unintentional data loss.

The other actions related to data management in Splunk—such as being searchable, archived, or compressed—apply at different stages in the data lifecycle, but freezing specifically leads to data deletion under default settings.