if you're speaking of user accesses to Splunk, they are stored in _audit index that, by default, has a six years retention period but it's configurable (like all the indexes retention periods in Splunk) modifying indexes.conf in $SPLUNK_HOME/etc/system/local.
the option is
frozenTimePeriodInSecs and you have to add it to the
[_audit] stanza in
To have more infos, see at https://docs.splunk.com/Documentation/Splunk/8.0.2/Admin/Indexesconf .