Configure Splunk Enterprise Event Ingestion settings

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 1 minute to read

    • Use the Splunk Enterprise Event Ingestion settings to modify the preset configurations and their values as per you requirements.

    Before you begin

    Role required: sn_si.admin

    Procedure

    1. Navigate to All > Splunk Integration > Splunk Integration Settings.
    2. On the form, fill the fields.
      Table 1. Splunk Integration Settings
      Field Description
      Maximum number of alerts to be displayed in the profile creation Option to define the maximum number of alerts that you want to display while creating an event profile.

      By default, the value is set as 500.
      Maximum number of security incidents to be created in one day Option to define the maximum number of security incidents that can be created in one day.

      By default, the value is set as 1000.
      Maximum number of events to fetch from Splunk per call Option to define the maximum number of events to retrieve from Splunk for each call.

      By default, the value is set as 100.
      The number of days an item remains in the queue table after completing/erroring for information or debugging purposes Option to define the number of days for an item to remain in the queue table after completion or error occurrence due to information or debugging purposes.

      By default, the value is set as 14.
      Number of days to retain the event import, event to task and fired alerts data Option to determine the number of days that you want to retain the event import, event to task, and fired alerts data.

      By default, the value is set as 30.
      Activate this setting to update existing Splunk source configurations for token based authentication support. You will need to update the integration configuration with token details once this setting is enabled. Option to update existing Splunk source configuration to token based authentication support from an existing version.
      Note:
      After you upgrade to the new version, the token field would become unavailable. You need to enable this setting to get the token based authentication, after which you need to update the integration configuration with token details.

      By default, the value is set as No.
      Figure 1. Splunk Integration Settings
      Configure Splunk Integration Settings
    3. Click Save.