An event could match the filter criteria of multiple data retention policies.
To determine which data retention policy will apply to an event and, therefore, how long an event will be retained before deleting it from the data storage, apply the following rules:
If an event meets the criteria of only one data retention policy filter, that data retention policy is applied to the event.
If an event does not meet the criteria for any of the data retention policies, the default data retention policy is applied to that event.
If an event meets the criteria for more than one of the data retention policies, the following guidelines are used to determine which data retention policy should be applied:
If the maximum retention period of a policy is shorter than the others, that policy is applied. (If the maximum retention period is not specified for a policy, the policy is considered to have a long maximum retention period.)
If multiple matching policies have the same shortest maximum retention period, the policy with the longest minimum retention period is applied.
If multiple matching policies have the same shortest maximum retention period and the same longest minimum retention period, the system arbitrarily applies one of the policies.