There are 2 main parts to Splunk, the web UI and the splunkd back-end, both of them have a timeout variable. When setting the timeout via the 'System Settings' page in 'Manager', it should update both of these settings -
$SPLUNK_HOME/etc/system/local/server.conf -
[general]
sessionTimeout = 3h
$SPLUNK_HOME/etc/system/local/web.conf -
[settings]
tools.sessions.timeout = 180
However, a bug in the current release 4.0.8 (SPL-28766) means that the incorrect web.conf setting is update, so for now a manual file-update is necessary. This should be fixed pretty soon, check out the known-issues page for confirmation - http://docs.splunk.com/Documentation/Splunk/4.0.8/ReleaseNotes/KnownIssues
There are 2 main parts to Splunk, the web UI and the splunkd back-end, both of them have a timeout variable. When setting the timeout via the 'System Settings' page in 'Manager', it should update both of these settings -
$SPLUNK_HOME/etc/system/local/server.conf -
[general]
sessionTimeout = 3h
$SPLUNK_HOME/etc/system/local/web.conf -
[settings]
tools.sessions.timeout = 180
However, a bug in the current release 4.0.8 (SPL-28766) means that the incorrect web.conf setting is update, so for now a manual file-update is necessary. This should be fixed pretty soon, check out the known-issues page for confirmation - http://docs.splunk.com/Documentation/Splunk/4.0.8/ReleaseNotes/KnownIssues
Is there a way to grant unlimited time for specific users/groups?
There is not a method to do per-group session timeouts.
Your options would entail arranging to feed those groups an already valid session token/ID and or to use something like the guestpass feature for a specific dashboard embedding purpose.
Digging further into those areas would want its own splunk answers post.
Did you find a way to do this?