We found that the searchable events for our wineventlog only goes back about 4 months but the searchable retention is set to 2 years 364 days (which is a total of 3 years). Splunk has said that the most likely scenario is that someone has changed the retention period recently. We would like to find out who has modified the searchable retention period.
I have looked in the audit logs but that also only goes back about 5 months and have not found anything useful. I have also googled and have not found any solutions. Would appreciate any help. Thank you.