Configure general settings for Splunk Enterprise Security
As a Splunk Enterprise administrator, you can make configuration changes to your Splunk Enterprise Security installation. Change threshold values, macro definitions, search filters, and other commonly changed values on the General Settings page.
On the Enterprise Security menu bar, select Configure > General > General Settings.
|Type the time in seconds before a drilldown search will pause. A value of 0 means never auto-pause. This is a search macro for performance purposes.
|Default Watchlist Search
|Define a search string for the
tag=watchlist of Threat Intelligence events in the 'Watchlisted Event Observed' correlation search.
|Distributed Configuration Management
|Download Splunk "helper" applications for distributed deployments.
|Turn on or turn off WHOIS tracking for Web domains. This is a search macro and when turned on, the search macro expands to outputcheckpoint modinput=whois by default when it is referenced in another search. When turned off, the default is noop.
|Domain From URL Extraction Regex
|A regular expression used to extract domain (url_domain) from a URL.
|Event Sequencing Engine
|Turns on the main Event Sequencing Engine. See Create sequence templates in Splunk Enterprise Security.
|Generic Error Search
|A search filter for defining events that indicate an error has occurred.
|HTTP Category Analysis Sparkline Earliest
|Set the start time for sparklines displayed on the HTTP User Category Analysis dashboard.
|HTTP Category Analysis Sparkline Span
|Set the time span for sparklines displayed on the HTTP User Category Analysis dashboard.
|HTTP User Agent Analysis Sparkline Earliest
|Set the start time for sparklines displayed on the HTTP User Agent Analysis dashboard.
|HTTP User Agent Analysis Sparkline Span
|Set the time span for sparklines displayed on the HTTP User Agent Analysis dashboard.
|Incident Review Analyst Capacity
|Estimated maximum capacity of notable events assigned to an analyst. Relative measure of analyst workload.
|Turn on or turn off Indexed Realtime. Enabling your real-times searches to run after the events are indexed can greatly improve indexing performance. Use indexed real-time search when up-to-the-second accuracy is not needed.
|IRT Disk Sync Delay
|Set the number of seconds for Enterprise Security to wait for a disk flush to finish. Built into indexed real-time searches is a sync (synchronizing) delay. The sync delay is a precaution so that none of the data is missed.
|Large Email Threshold
|An email that exceeds this size in bytes is considered large.
|Licensing Event Count Filter
|Define the list of indexes to exclude from the "Events Per Day" summarization.
|Max running sequences
|Maximum number of ongoing sequences allowed in event sequencing engine. Increasing this limit will result in additional memory overhead.
|Maximum Documents Per Batch Save (kvstore)
|The maximum number of documents that can be saved in a single batch to a KV Store collection.
|New Domain Analysis Sparkline Span
|Set the time span for sparklines displayed in the New Domain Analysis dashboard.
|Notable Modalert Pipeline
|SPL for the notable event adaptive response action.
|Override Email Alert Action
|Override the email alert action settings to allow users to send notable events via email through adaptive response actions on the Incident Review dashboard.
|PCI Compliance History Span
|The bucket time span for the "Compliance History" panel on the "PCI Posture" view.
|PCI Scorecard Single Value
|Controls the logic for determining the color of single value visualizations on PCI Posture and Scorecards.
|Risk Modalert Pipeline
|SPL for the risk modifier adaptive response action.
|Risk Severity Range Map
|Adjust the numeric value for the risk scores to tune the severity level based on the specific requirements of your environment.
|Search Disk Quota (admin)
|Set the maximum amount of disk space in MB that an admin user can use to store search job results.
|Search Jobs Quota (admin)
|Set the maximum number of concurrent searches allowed for admin users.
|Search Jobs Quota (power)
|Set the maximum number of concurrent searches for power users.
|Short Lived Account Length
|An account creation and deletion record that falls within this threshold is anomalous.
|Threat Artifacts Max
|The maximum number of threat artifacts to return for unfiltered queries on the Threat Artifacts dashboard. The default is 10000, and is managed in the
`threat_artifacts_max` macro editor.
|Threat Intelligence Wildcard Minimum Length
|Filter out wildcard intelligence that doesn't meet the minimum requirement.
|Top 1M Site Source
|A macro definition to indicate source to be used for Top 1M sites.
|Determine whether or not the TSTATS macro will be distributed.
|TSTATS Summaries Only
|Determine whether or not the TSTATS or summariesonly macro will only search accelerated events.
|Turn on or turn off the term OTHER on charts that exceed default series limits.
|Website Watchlist Search
|A list of watchlisted websites used by the "Watchlisted Events" correlation search.
Add ESCU annotations to correlation searches and analytics stories
Manage credentials in Splunk Enterprise Security
This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0