Where do I find documentation reg. how long Splunk is retaining audit logs? Can this be edited? Thank u.
The retention settings for the _audit index (assuming that is what is meant by "audit logs") are in an indexes.conf file ($SPLUNK_HOME/etc/system/default, by default). You should be able to show the auditor a screenshot of the Settings->Indexes page showing the oldest entry in the index (if you have at least a year of data, of course).
Thank u sir, which server should I look this up on? Can it be done via GUI?
You can do it on any server with the full list of indexes. Yes, it can be done using the GUI (as per the screenshot).
I looked this up the _audit index says Earliest event 5 month ago & latest event 4 month ago. Rich should this setting be changes in _audit & _internal indexes or just in _audit index please? This timing of 1 year log detention in the indexs.conf has to be done via CLI correct?
Perhaps what you should do is sign in to one of the indexers and use btool to view the retention settings.
splunk btool indexes list _audit | grep frozenTimePeriodInSecs
The value will be in seconds so you'll have to do some math to convert it into days for the auditor.
Rich sir, I copy & pasted it into a SH but received unknown command. Please advise.
splunk btool indexes list _audit | grep frozenTimePeriodInSecs
It's a CLI command, not an SPL query.
I used it accessing the SH via CLI. Must have mistyped. Thank u. I will try again.
You may need to fully qualify the command.
/opt/splunk/bin/splunk btool indexes list _audit | grep frozenTimePeriodInSecs