Configure general settings for Splunk Enterprise Security
As a Splunk Enterprise administrator, you can make configuration changes to your Splunk Enterprise Security installation. Change threshold values, macro definitions, search filters, and other commonly changed values on the General Settings page.
On the Enterprise Security menu bar, select Configure > General > General Settings.
Setting | Description |
---|---|
Asset Sources | A search macro that enumerates the lookup tables that contain asset information used for asset correlation. |
Auto Pause | Type the time in seconds before a drilldown search will pause. |
Default Watchlist Search | Define the watchlisted events for the 'Watchlisted Events' correlation search |
Domain Analysis | Enable or disable WHOIS tracking for Web domains. |
Domain From URL Extraction Regex | A regular expression used to extract domain (url_domain) from a URL. |
Enable Identity Generation Autoupdate | If true, permit the Identity Manager to auto-update asset_sources, identity_sources, and generate_identities macros. True by default. |
Generic Error Search | A search filter for defining events that indicate an error has occurred. |
HTTP Category Analysis Sparkline Earliest | Set the start time for sparklines displayed on the HTTP User Category Analysis dashboard. |
HTTP Category Analysis Sparkline Span | Set the time span for sparklines displayed on the HTTP User Category Analysis dashboard. |
HTTP User Agent Analysis Sparkline Earliest | Set the start time for sparklines displayed on the HTTP User Agent Analysis dashboard. |
HTTP User Agent Analysis Sparkline Span | Set the time span for sparklines displayed on the HTTP User Agent Analysis dashboard. |
IRT Disk Sync Delay | Set the number of seconds for Enterprise Security to wait for a disk flush to finish. Relevant to indexed real time searches. |
Identity Generation | Defines the transformations used to normalize identity information. See Rank the order for merging identities. |
Identity Generation Timeout | Number of seconds the Identity Manager waits before warning of slow search completion in identity_manager.log. |
Identity Sources | Enumerates the source lookup tables that contain identity information. |
Incident Review Analyst Capacity | Estimated maximum capacity of notable events assigned to an analyst. Relative measure of analyst workload. |
Indexed Realtime | Enable or disable indexed real-time mode for searches. |
Large Email Threshold | An email that exceeds this size in bytes is considered large. |
Licensing Event Count Filter | Define the list of indexes to exclude from the "Events Per Day" summarization. |
Maximum Documents Per Batch Save (kvstore) | The maximum number of documents that can be saved in a single batch to a KV Store collection. |
New Domain Analysis Sparkline Span | Set the time span for sparklines displayed in the New Domain Analysis dashboard. |
Notable Modalert Pipeline | SPL for the notable event adaptive response action. |
Override Email Alert Action | Override the email alert action settings to allow users to send notable events via email through adaptive response actions on the Incident Review dashboard. |
Risk Modalert Pipeline | SPL for the risk modifier adaptive response action. |
Search Disk Quota (admin) | Set the maximum amount of disk space in MB that an admin user can use to store search job results. |
Search Jobs Quota (admin) | Set the maximum number of concurrent searches allowed for admin users. |
Search Jobs Quota (power) | Set the maximum number of concurrent searches for power users. |
Short Lived Account Length | An account creation and deletion record that exceeds this threshold is anomalous. |
TSTATS Allow Old Summaries | Enable or disable searching of data model accelerations containing fields that do not match the current data model configuration. |
TSTATS Local | Determine whether or not the TSTATS macro will be distributed. |
TSTATS Summaries Only | Determine whether or not the TSTATS or summariesonly macro will only search accelerated events. |
Threat Artifacts Max | The maximum number of threat artifacts to return for unfiltered queries on the Threat Artifacts dashboard. The default is 10000, and is managed in the `threat_artifacts_max` macro editor.
|
Threat Intelligence Wildcard Minimum Length | Filter out wildcard intelligence that doesn't meet the minimum requirement. |
Use Other | Enable or disable the term OTHER on charts that exceed default series limits. |
Website Watchlist Search | A list of watchlisted websites used by the "Watchlisted Events" correlation search. |
See also
Manage input credentials in Splunk Enterprise Security
Manage permissions in Splunk Enterprise Security
Manage Analytic Stories through the use case library in Splunk Enterprise Security | Manage credentials in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 6.0.1, 6.0.2, 6.1.0, 6.1.1
Feedback submitted, thanks!