Can you please let us know how long is retention for user logons in Splunk.
if you're speaking of user accesses to Splunk, they are stored in _audit index that, by default, has a six years retention period but it's configurable (like all the indexes retention periods in Splunk) modifying indexes.conf in $SPLUNK_HOME/etc/system/local.
Thanks for your reply.
If we want to configure retention period of a logon user, what is the parameter.
the option is
frozenTimePeriodInSecs and you have to add it to the
[_audit] stanza in
To have more infos, see at https://docs.splunk.com/Documentation/Splunk/8.0.2/Admin/Indexesconf .