Can you please let us know how long is retention for user logons in Splunk.
Hi @pratapa,
if you're speaking of user accesses to Splunk, they are stored in _audit index that, by default, has a six years retention period but it's configurable (like all the indexes retention periods in Splunk) modifying indexes.conf in $SPLUNK_HOME/etc/system/local.
Ciao.
Giuseppe
Thanks for your reply.
If we want to configure retention period of a logon user, what is the parameter.
Hi @pratapa,
the option is frozenTimePeriodInSecs
and you have to add it to the [_audit]
stanza in $SPLUNK_HOME/etc/system/local/indexes.conf
.
To have more infos, see at https://docs.splunk.com/Documentation/Splunk/8.0.2/Admin/Indexesconf .
Ciao.
Giuseppe