Splunk® Enterprise Security

Administer Splunk Enterprise Security

Manage general settings for Splunk Enterprise Security

As a Splunk Enterprise Security administrator, you can make configuration changes to your Splunk Enterprise Security installation such as changing threshold values, macro definitions, search filters, and other settings.

Follow these steps to configure general settings for Splunk Enterprise Security:

  1. In the Splunk Enterprise Security app, select the Configure tab.
  2. Select General settings.
  3. Use the following table to make configuration changes to your Splunk Enterprise Security app instance.
    Setting Purpose
    Analyst capacity Provides the relative measure of an analyst's workload by specifying the maximum number of findings assigned to an analyst.
    Auto pause Specifies the time in seconds before a drill-down search stops to customize search performance. A value of 0 means that the drill-down search never stops automatically.
    AWS index Configures AWS index for Cloud Security dashboards.
    Command pipeline for finding modular alerts Specifies the SPL command pipeline for the finding modular alerts.
    Command pipeline for risk modular alerts Specifies the SPL command pipeline for the risk modular alerts.
    Configure Microsoft 365 index Configures Microsoft 365 indexes for Cloud Security dashboards.
    Default series limits exceeds threshold Turns on or turns off displaying the term "Other" on charts that exceed the default series limits.
    Default watchlist search Defines a search string for the tag=watchlist of threat intelligence events in the 'Watchlisted Event Observed' detection.
    Detection versions Turns on or turns off versioning for detections.
    Disk quota for search results (admin) Configures the maximum disk space (in MB) allocated to an administrator user to store search results.
    Disk sync delay Configures the number of seconds for Splunk Enterprise Security to wait before a disk flush is completed. A synchronizing delay is built into indexed real-time searches as a precaution so that none of the data is missed.
    Distributed configuration management Provides links to download Splunk helper applications for distributed deployments.
    Domain analysis Turns on or turns off WHOIS tracking for web domains. When this search macro is turned on, the search macro expands to outputcheckpoint modinput=whois by default, if it is referenced in another search. When this search macro is turned off, the default is noop.
    Enhanced workflows Turns on table filters, table columns, and shared views on the Mission Control page of Splunk Enterprise Security.
    Event sequencing engine Turns on the main event sequencing engine.
    Generic error search Defines events that indicate an error has occurred.
    Jobs quota for search results (admin) Configures the maximum number of concurrent searches that an admin user can run.
    Jobs quota for search results (power) Configures the maximum number of concurrent searches that a power user can run.
    Large email threshold Defines the size threshold so that when an email that exceeds this limit (in bytes) is considered large.
    Licensing event count filter Defines the list of indexes to exclude from the summarization: Events per day.
    Minimum length of threat intelligence Configures the minimum string length required for threat intelligence with wildcard characters.
    Maximum documents saved in KVStore Defines the maximum number of documents that can be saved in a single batch to a KVStore collection.
    Maximum threat artifacts Defines the maximum number of threat artifacts returned for unfiltered searches on the Threat Artifacts dashboard. The default value is 10000. This setting is managed in the `threat_artifacts_max` macro editor.
    Override email alert action Overrides the email alert action settings to allow users to send findings using email through adaptive response actions.
    Realtime indexing Turns on or turns off real time indexing. Turning on your real-time searches to run after the events are indexed can greatly improve indexing performance. You can use real time indexing when up-to-the-second accuracy is not needed.
    Risk severity range map Adjusts the numeric value for the risk scores to tune the severity level based on the specific requirements of your environment.
    Regex for domain extraction from URL Extracts the domain (url_domain) from the URL.
    Short lived account length Identifies the records of account creation and deletion as anomalous. An account creation and deletion record that falls within this threshold is anomalous.
    Sparkline span (Category analysis) Configures the bucket time span for sparklines displayed in the dashboard: HTTP category analysis.
    Sparkline span (New domain analysis) Configures the bucket time span for sparklines displayed in the dashboard: New domain analysis.
    Sparkline span (User agent analysis) Configures the bucket time span for sparklines displayed in the dashboard: HTTP user agent analysis.
    Sparkline start time (Category analysis) Configures the start time for sparklines displayed on the dashboard: HTTP category analysis.
    Sparkline start time (User agent analysis) Configures the start time for sparklines displayed in the dashboard: HTTP user agent analysis.
    Top 1 million site source Displays the source for the top 1 million sites.
    Tstats macro distribution Determines if the tstats macros must be distributed.
    Tstats or summaries macro Determines whether the tstats or summariesonly macro searches only accelerated events.
    Website watchlist search Lists watchlisted websites used by the detection: Watchlisted events.

See also

For more information on general settings in Splunk Enterprise Security, see the product documentation:

Turn off the enhanced workflow on the Mission Control page

Last modified on 17 September, 2024
Configure and administer Splunk Enterprise Security   Manage credentials in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters