Splunk® Enterprise Security

Administer Splunk Enterprise Security

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Configure general settings for Splunk Enterprise Security

As a Splunk Enterprise administrator, you can make configuration changes to your Splunk Enterprise Security installation. Change threshold values, macro definitions, search filters, and other commonly changed values on the General Settings page.

On the Enterprise Security menu bar, select Configure > General > General Settings.

Setting Description
Auto Pause Type the time in seconds before a drilldown search will pause. A value of 0 means never auto-pause. This is a search macro for performance purposes.
Default Watchlist Search Define a search string for the tag=watchlist of Threat Intelligence events in the 'Watchlisted Event Observed' correlation search.
Distributed Configuration Management Download Splunk "helper" applications for distributed deployments.
Domain Analysis Turn on or turn off WHOIS tracking for Web domains. This is a search macro and when turned on, the search macro expands to outputcheckpoint modinput=whois by default when it is referenced in another search. When turned off, the default is noop.
Domain From URL Extraction Regex A regular expression used to extract domain (url_domain) from a URL.
Event Sequencing Engine Turns on the main Event Sequencing Engine. See Create sequence templates in Splunk Enterprise Security.
Generic Error Search A search filter for defining events that indicate an error has occurred.
HTTP Category Analysis Sparkline Earliest Set the start time for sparklines displayed on the HTTP User Category Analysis dashboard.
HTTP Category Analysis Sparkline Span Set the time span for sparklines displayed on the HTTP User Category Analysis dashboard.
HTTP User Agent Analysis Sparkline Earliest Set the start time for sparklines displayed on the HTTP User Agent Analysis dashboard.
HTTP User Agent Analysis Sparkline Span Set the time span for sparklines displayed on the HTTP User Agent Analysis dashboard.
Incident Review Analyst Capacity Estimated maximum capacity of notable events assigned to an analyst. Relative measure of analyst workload.
Indexed Realtime Turn on or turn off Indexed Realtime. Enabling your real-times searches to run after the events are indexed can greatly improve indexing performance. Use indexed real-time search when up-to-the-second accuracy is not needed.
IRT Disk Sync Delay Set the number of seconds for Enterprise Security to wait for a disk flush to finish. Built into indexed real-time searches is a sync (synchronizing) delay. The sync delay is a precaution so that none of the data is missed.
Large Email Threshold An email that exceeds this size in bytes is considered large.
Licensing Event Count Filter Define the list of indexes to exclude from the "Events Per Day" summarization.
Max running sequences Maximum number of ongoing sequences allowed in event sequencing engine. Increasing this limit will result in additional memory overhead.
Maximum Documents Per Batch Save (kvstore) The maximum number of documents that can be saved in a single batch to a KV Store collection.
New Domain Analysis Sparkline Span Set the time span for sparklines displayed in the New Domain Analysis dashboard.
Notable Modalert Pipeline SPL for the notable event adaptive response action.
Override Email Alert Action Override the email alert action settings to allow users to send notable events via email through adaptive response actions on the Incident Review dashboard.
PCI Compliance History Span The bucket time span for the "Compliance History" panel on the "PCI Posture" view.
PCI Scorecard Single Value Controls the logic for determining the color of single value visualizations on PCI Posture and Scorecards.
Risk Modalert Pipeline SPL for the risk modifier adaptive response action.
Risk Severity Range Map Adjust the numeric value for the risk scores to tune the severity level based on the specific requirements of your environment.
Search Disk Quota (admin) Set the maximum amount of disk space in MB that an admin user can use to store search job results.
Search Jobs Quota (admin) Set the maximum number of concurrent searches allowed for admin users.
Search Jobs Quota (power) Set the maximum number of concurrent searches for power users.
Short Lived Account Length An account creation and deletion record that falls within this threshold is anomalous.
Threat Artifacts Max The maximum number of threat artifacts to return for unfiltered queries on the Threat Artifacts dashboard. The default is 10000, and is managed in the `threat_artifacts_max` macro editor.
Threat Intelligence Wildcard Minimum Length Filter out wildcard intelligence that doesn't meet the minimum requirement.
Top 1M Site Source A macro definition to indicate source to be used for Top 1M sites.
TSTATS Local Determine whether or not the TSTATS macro will be distributed.
TSTATS Summaries Only Determine whether or not the TSTATS or summariesonly macro will only search accelerated events.
Use Other Turn on or turn off the term OTHER on charts that exceed default series limits.
Website Watchlist Search A list of watchlisted websites used by the "Watchlisted Events" correlation search.

See also

Manage input credentials in Splunk Enterprise Security

Manage permissions in Splunk Enterprise Security

Customize the menu bar in Splunk Enterprise Security

Configure per-panel filtering in Splunk Enterprise Security

Last modified on 11 August, 2023
PREVIOUS
Add ESCU annotations to correlation searches and analytics stories
  NEXT
Manage credentials in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters