Configure Splunk Enterprise Event Ingestion settings
Use the Splunk Enterprise Event Ingestion settings to modify the preset configurations and their values as per your requirements.
Before you begin
Role required: sn_si.ingestion_profile_admin
Procedure
- Navigate to All > Splunk Integration > Splunk Integration Settings.
-
On the form, fill the fields.
Table 1. Splunk Integration Settings Field Description Maximum number of alerts to be displayed in the profile creation. sn_sec_splunk_v2.max_alerts_to_display
Option to define the maximum number of alerts that you want to display while creating an event profile. By default, the value is set as 500.
Maximum number of security incidents to be created in one day. sn_sec_splunk_v2.max_si_per_day
Option to define the maximum number of security incidents that can be created in one day. By default, the value is set as 1000.
Maximum number of events to fetch from Splunk per call. sn_sec_splunk_v2.max_events_per_call
Option to define the maximum number of events to retrieve from Splunk for each call. By default, the value is set as 100.
The number of days an item remains in the queue table after completing/erroring for information or debugging purposes. sn_sec_splunk_v2.queue_item_expire
Option to define the number of days for an item to remain in the queue table after completion or error occurrence due to information or debugging purposes. By default, the value is set as 14.
Number of days to retain the event import, event to task and fired alerts data. sn_sec_splunk_v2.retention_period
Option to determine the number of days that you want to retain the event import, event to task, and fired alerts data. By default, the value is set as 30.
Activate this setting to update existing Splunk source configurations for token based authentication support. You will need to update the integration configuration with token details once this setting is enabled. sn_sec_splunk_v2.upgrade_existing_tile
Option to update existing Splunk source configuration to token based authentication support from an existing version. Note:After you upgrade to the new version, the token field would become unavailable. You need to enable this setting to get the token based authentication, after which you need to update the integration configuration with token details.By default, the value is set as No.
Logging level - debug, info, warn, error. sn_sec_splunk_v2.logging.verbosity
Option to set the logging level (debug, info, warn, or error)
Splunk search time to live in seconds. sn_sec_splunk_v2.sid_ttl
Option to set the time in seconds that Splunk search results are retained. By default, the value is set as 14.
Number of overlap minutes to add while fetching the events from Splunk(to overcome indexing delay from Splunk). sn_sec_splunk_v2.overlap_time
Option to specify additional minutes to overlap when fetching events from Splunk, helping to account for indexing delays. By default, the value is set as 0.
Alert rule batch size to be used for firing Splunk search queries during ingestion. sn_sec_splunk_v2.rules_batch_size
Option to set the batch size for firing Splunk search queries during ingestion. By default, the value is set as 50.
Events Limit per triggered alert to handle spike. sn_sec_splunk_v2.spike_events_limit
Option to limit the number of events processed per triggered alert, helping to manage spikes in event volume. By default, the value is set as 1000.
The delimiter character to split the values in field mappings. sn_sec_splunk_v2.delimiter
Option to specify the delimiter character used to split values in field mapping. - Select Save.