What occurs to indexed events older than the frozen time period in Splunk?

In Splunk, indexed events that reach the end of their frozen time period are deleted from the system. This means that once the specified retention period for the data has lapsed, these events are no longer stored in the index and are permanently removed from the Splunk environment.

The frozen time period is defined in the indexes.conf configuration file, which specifies how long data should be retained in the warmer and cold data storage before it is eligible for deletion. This automatic deletion process helps manage storage efficiently, allowing system administrators to ensure that only data that is necessary and relevant is retained, thus optimizing resource use and performance.

While archiving is a common practice for data retention, in the context of Splunk's frozen time management, the events are not archived but rather deleted. Compression generally pertains to the way that data is stored for efficiency, and moving to a cold storage typically involves events that are still retained but not frequently accessed. In contrast, the deletion of events that have reached their frozen time signifies their complete removal from the index.