Use the Splunk Enterprise Security (ES) settings to modify the preset configurations and their values as per your requirements.

Before you begin

Role required: admin

Procedure

  1. Navigate to All > Splunk ES Integration > Splunk ES Settings.
  2. On the form, fill the fields.
    Table 1. Splunk ES Settings
    FieldDescription
    Enforce a limit on the number of notable events that can be aggregated to a single incident. Option to enforce a limit on the number of your notable events that you want to aggregate to a single incident.

    By default, the value is set as 100.
    Enforce a limit on the number of security incidents that can be created in a 24-hour period. Option to enforce a limit on the number of security incidents that can be created in a period of 24 hours.

    By default, the value is set as 1000.
    Enforce a limit on the number of values to parse in each field received from Splunk. Option to enforce a limit on the number of values that you want to parse for each field received from Splunk.

    By default, the value is set as 1000.
    Number of correlation rules to pull from Splunk. Option to define the number of correlation rules to retrieve from Splunk.

    By default, the value is set as 500.
    The Time-to-Live parameter for Splunk search job in seconds. Option to define the Time-to-Live parameter for the Splunk search in the form of seconds.

    By default, the value is set as 600.
    Number of notable types to batch in one search. Option to define the total number of notable types that you want batch in a single search.

    By default, the value is set as 20.
    Number of days to retain the Splunk search job metadata in ServiceNow Option to define the number of days that you want to retain the Splunk search job metadata in ServiceNow.

    By default, the value is set as 30.
    The delimiter character to split the values in field mappings. Option to define the delimiter character to split the values in field mappings.

    By default, the value is set as (,).
    Number of overlap minutes to add while fetching the events from Splunk (to overcome the indexing delay from Splunk) Option to define the number of overlap minutes to add while retrieving the events from Splunk to overcome the indexing delay from Splunk.

    By default, the value is set as 30.
    Pull updated notable events Option to retrieve updated notable events.

    By default, the value is set as No.
    Activate this setting to update existing Splunk source configurations for token based authentication support. You must update the integration configuration with token details after this setting is enabled. Option to update existing Splunk source configuration to token based authentication support from an existing version.
    Note: After you upgrade to the new version, the token field would become unavailable. You must enable this setting to get the token-based authentication, after which you must update the integration configuration with token details.

    By default, the value is set as No.
  3. Click Save.