Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how long is retention for user logons in Splunk

pratapa
Explorer
‎03-09-2020 11:42 PM

Can you please let us know how long is retention for user logons in Splunk.

Tags (1)
0 Karma
Reply

gcusello
Esteemed Legend
‎03-10-2020 02:38 AM

Hi @pratapa,
if you're speaking of user accesses to Splunk, they are stored in _audit index that, by default, has a six years retention period but it's configurable (like all the indexes retention periods in Splunk) modifying indexes.conf in $SPLUNK_HOME/etc/system/local.

Ciao.
Giuseppe

0 Karma
Reply

pratapa
Explorer
‎03-10-2020 03:02 AM

Thanks for your reply.

If we want to configure retention period of a logon user, what is the parameter.

0 Karma
Reply

gcusello
Esteemed Legend
‎03-10-2020 03:12 AM

Hi @pratapa,
the option is frozenTimePeriodInSecs and you have to add it to the [_audit] stanza in $SPLUNK_HOME/etc/system/local/indexes.conf.
To have more infos, see at https://docs.splunk.com/Documentation/Splunk/8.0.2/Admin/Indexesconf .

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

Thought Leaders are Validating Your Hard Work and Training Rigor

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...

.conf23 Registration is Now Open!

Time to toss the .conf-etti 🎉 —  .conf23 registration is open!   Join us in Las Vegas July 17-20 for ...