It is complex, but necessarily so because while you may want old data, you probably most certainly want current data.
What may not be evident in the wiki post is the indexing very old logs and logs 'in the future'.
Let's say for example you have logs that are older than the MAX_DAYS_AGO parameter from props.conf (default 2000 days) - all events older than the MAX_DAYS_AGO will have the _time value of the last acceptable timestamp in that log file, and if all events are older than MAX_DAYS_AGO, then all events will have the current (index time) timestamp for _time.
So, in addition to knowing that Freezing data is based on _time, you must also understand that it is based on the most recent time in the buckets (restart Splunkd = new buckets), and that indexing very old logs may give you event times (_time) that are not what you expected (MAX_DAYS_AGO defaults to 2000 days).
... View more