Archive

how long is retention for user logons in Splunk

Explorer

Can you please let us know how long is retention for user logons in Splunk.

Tags (1)
0 Karma

Legend

Hi @pratapa,
if you're speaking of user accesses to Splunk, they are stored in _audit index that, by default, has a six years retention period but it's configurable (like all the indexes retention periods in Splunk) modifying indexes.conf in $SPLUNK_HOME/etc/system/local.

Ciao.
Giuseppe

0 Karma

Explorer

Thanks for your reply.

If we want to configure retention period of a logon user, what is the parameter.

0 Karma

Legend

Hi @pratapa,
the option is frozenTimePeriodInSecs and you have to add it to the [_audit] stanza in $SPLUNK_HOME/etc/system/local/indexes.conf.
To have more infos, see at https://docs.splunk.com/Documentation/Splunk/8.0.2/Admin/Indexesconf .

Ciao.
Giuseppe

0 Karma