Edit the retention period for a team queue

The retention period for a team queue determines how long Splunk Enterprise Security keeps data after it has been archived. Once the retention period expires, the data is permanently deleted and cannot be recovered.

Retention is governed by a global, investigation retention policy, which applies to all team queues by default. If a queue does not have a queue-specific retention value configured, it inherits the investigation retention period. Queues that adhere to the investigation retention policy have a retention period set to -1. You can override this default for individual queues by setting a queue-specific retention period. When a queue-specific value is set, it takes precedence over the global policy and applies to all findings and investigations in that queue, along with their associated objects such as notes, attachments, and findings.

The following table explains the behavior of different values you can set for a team queue retention period:

Queue retention value Behavior
-1 Adheres to global investigation retention period
0 Deletes immediately on next retention run
Note: Using this value also requires a global investigation retention period to be set.
> 0 Uses queue-specific retention period
You can only set a team queue retention period if the investigation retention period in the inputs.conf file has max_days > 0 or max_size > 0. If both values are 0 or turned off, then no retention runs and nothing gets deleted.
  1. In Splunk Enterprise Security, select Configurations then Findings and investigations and then Team queues.
  2. Locate the team queue you want to edit, and then expand it.
  3. In the About tab, select Edit.
  4. Use the arrows and the drop-down list to set a Retention period of archived items for the queue.
  5. Select Save.