My understanding is that a retention policy operates on the events in my cold buckets, meaning that when data grows beyond a certain size I specify for the index, Splunk deletes the oldest data from the cold bucket.
However, if my events never roll from warm to cold bucket, will Splunk still honor my retention policy and delete the data from my warm buckets?
maybe you can limit the max warm db count with properly adjusting your warm bucket size to enforce it to roll into cold bucket. refer to this discussion