Follow these steps to manage default KV Store collections in Splunk Enterprise Security such as Access Tracker:

• Use the Access Tracker (a built-in KV Store collection for Splunk Enterprise Security), if new user or destination combinations result in KV Store collections growing by multiple GBs on each day.
• Adjust the retention policy for the Access Tracker.
  The retention period for the Access Tracker KV Store collection is one year by default. However, you can reduce the data retention period for the KV Store collection from the Content Management page in Splunk Enterprise Security. See Add a retention policy to KV Store collections
• Turn off saved searches that use Access Tracker and clear all data in Access Tracker.
  Multiple saved searches such as 'Access - Authentication Tracker - Lookup Gen' are turned on by default and use the Access Tracker KV Store collection. You can identify the saved searches that use Access Tracker using the following SPL search:

  | rest "services/saved/searches" | search search="*access_tracker*" | fields title, description, search, disabled

  Note: You can append the SPL search to identify custom or built-in macros in the macros.conf file that uses Access Tracker.

  If the saved searches that use Access Tracker are not required, they can be turned off by setting the disabled flag to True.

If no saved searches exist that use Access Tracker, clear the data in Access Tracker by running the following command: