Splunk® Enterprise Security

Administer Splunk Enterprise Security

Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Download topic as PDF

Configure general settings for Splunk Enterprise Security

As a Splunk Enterprise administrator, you can make configuration changes to your Splunk Enterprise Security installation. Change threshold values, macro definitions, search filters, and other commonly changed values on the General Settings page.

On the Enterprise Security menu bar, select Configure > General > General Settings.

Setting Description
Asset Sources A search macro that enumerates the lookup tables that contain asset information used for asset correlation.
Auto Pause Type the time in seconds before a drilldown search will pause.
Default Watchlist Search Define the watchlisted events for the 'Watchlisted Events' correlation search
Domain Analysis Enable or disable WHOIS tracking for Web domains.
Domain From URL Extraction Regex A regular expression used to extract domain (url_domain) from a URL.
Enable Identity Generation Autoupdate If true, permit the Identity Manager to auto-update asset_sources, identity_sources, and generate_identities macros. True by default.
Generic Error Search A search filter for defining events that indicate an error has occurred.
HTTP Category Analysis Sparkline Earliest Set the start time for sparklines displayed on the HTTP User Category Analysis dashboard.
HTTP Category Analysis Sparkline Span Set the time span for sparklines displayed on the HTTP User Category Analysis dashboard.
HTTP User Agent Analysis Sparkline Earliest Set the start time for sparklines displayed on the HTTP User Agent Analysis dashboard.
HTTP User Agent Analysis Sparkline Span Set the time span for sparklines displayed on the HTTP User Agent Analysis dashboard.
IRT Disk Sync Delay Set the number of seconds for Enterprise Security to wait for a disk flush to finish. Relevant to indexed real time searches.
Identity Generation Defines the transformations used to normalize identity information. See How Splunk Enterprise Security processes and merges asset and identity data
Identity Generation Timeout Number of seconds the Identity Manager waits before warning of slow search completion in identity_manager.log.
Identity Sources Enumerates the source lookup tables that contain identity information.
Incident Review Analyst Capacity Estimated maximum capacity of notable events assigned to an analyst. Relative measure of analyst workload.
Indexed Realtime Enable or disable indexed real-time mode for searches.
Large Email Threshold An email that exceeds this size in bytes is considered large.
Licensing Event Count Filter Define the list of indexes to exclude from the "Events Per Day" summarization.
Maximum Documents Per Batch Save (kvstore) The maximum number of documents that can be saved in a single batch to a KV Store collection.
New Domain Analysis Sparkline Span Set the time span for sparklines displayed in the New Domain Analysis dashboard.
Notable Modalert Pipeline SPL for the notable event adaptive response action.
Override Email Alert Action Override the email alert action settings to allow users to send notable events via email through adaptive response actions on the Incident Review dashboard.
Risk Modalert Pipeline SPL for the risk modifier adaptive response action.
Search Disk Quota (admin) Set the maximum amount of disk space in MB that an admin user can use to store search job results.
Search Jobs Quota (admin) Set the maximum number of concurrent searches allowed for admin users.
Search Jobs Quota (power) Set the maximum number of concurrent searches for power users.
Short Lived Account Length An account creation and deletion record that exceeds this threshold is anomalous.
TSTATS Allow Old Summaries Enable or disable searching of data model accelerations containing fields that do not match the current data model configuration.
TSTATS Local Determine whether or not the TSTATS macro will be distributed.
TSTATS Summaries Only Determine whether or not the TSTATS or summariesonly macro will only search accelerated events.
Use Other Enable or disable the term OTHER on charts that exceed default series limits.
Website Watchlist Search A list of watchlisted websites used by the "Watchlisted Events" correlation search.

See also

Manage input credentials in Splunk Enterprise Security

Manage permissions in Splunk Enterprise Security

Customize the menu bar in Splunk Enterprise Security

Configure per-panel filtering in Splunk Enterprise Security

PREVIOUS
Create risk and edit risk objects in Splunk Enterprise Security
  NEXT
Manage credentials in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters