Security

how long is retention for user logons in Splunk

pratapa
Explorer

Can you please let us know how long is retention for user logons in Splunk.

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @pratapa,
if you're speaking of user accesses to Splunk, they are stored in _audit index that, by default, has a six years retention period but it's configurable (like all the indexes retention periods in Splunk) modifying indexes.conf in $SPLUNK_HOME/etc/system/local.

Ciao.
Giuseppe

0 Karma

pratapa
Explorer

Thanks for your reply.

If we want to configure retention period of a logon user, what is the parameter.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @pratapa,
the option is frozenTimePeriodInSecs and you have to add it to the [_audit] stanza in $SPLUNK_HOME/etc/system/local/indexes.conf.
To have more infos, see at https://docs.splunk.com/Documentation/Splunk/8.0.2/Admin/Indexesconf .

Ciao.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...