Answer by warren for How do we get/extract log data from splunk

You need to investigate the following:

• index retention (and for Smart Store)
• storage availability
  • if you have an index set for 500G or 1 year, but you store 50G per day, you’ll rotate at 10 days
  • if you hsve an index set for 500G or 1 year, but only have 400G available storage, it will rotate sooner

from User warren – Stack Overflow https://stackoverflow.com/questions/63598298/how-do-we-get-extract-log-data-from-splunk/63599569#63599569
via IFTTT