As a Splunk Enterprise Security administrator, you can make configuration changes to your Splunk Enterprise Security installation such as changing threshold values, macro definitions, search filters, and other settings.

Follow these steps to configure general settings for Splunk Enterprise Security:

1. In the Splunk Enterprise Security app, select the Configure tab.
2. Select General settings.
3. Use the following table to make configuration changes to your Splunk Enterprise Security app instance.

   Setting	Purpose
   Analyst capacity	Provides the relative measure of an analyst's workload by specifying the maximum number of findings assigned to an analyst.
   Auto pause	Specifies the time in seconds before a drill-down search stops to customize search performance. A value of 0 means that the drill-down search never stops automatically.
   AWS index	Configures AWS index for Cloud Security dashboards.
   Command pipeline for finding modular alerts	Specifies the SPL command pipeline for the finding modular alerts.
   Command pipeline for risk modular alerts	Specifies the SPL command pipeline for the risk modular alerts.
   Configure Microsoft 365 index	Configures Microsoft 365 indexes for Cloud Security dashboards.
   Default series limits exceeds threshold	Turns on or turns off displaying the term "Other" on charts that exceed the default series limits.
   Default watchlist search	Defines a search string for the tag=watchlist of threat intelligence events in the 'Watchlisted Event Observed' detection.
   Detection versions	Turns on or turns off versioning for detections.
   Disk quota for search results (admin)	Configures the maximum disk space (in MB) allocated to an administrator user to store search results.
   Disk sync delay	Configures the number of seconds for Splunk Enterprise Security to wait before a disk flush is completed. A synchronizing delay is built into indexed real-time searches as a precaution so that none of the data is missed.
   Distributed configuration management	Provides links to download Splunk helper applications for distributed deployments.
   Domain analysis	Turns on or turns off WHOIS tracking for web domains. When this search macro is turned on, the search macro expands to outputcheckpoint modinput=whois by default, if it is referenced in another search. When this search macro is turned off, the default is noop.
   Generic error search	Defines events that indicate an error has occurred.
   Jobs quota for search results (admin)	Configures the maximum number of concurrent searches that an admin user can run.
   Jobs quota for search results (power)	Configures the maximum number of concurrent searches that a power user can run.
   Large email threshold	Defines the size threshold so that when an email that exceeds this limit (in bytes) is considered large.
   Licensing event count filter	Defines the list of indexes to exclude from the summarization: Events per day.
   Minimum length of threat intelligence	Configures the minimum string length required for threat intelligence with wildcard characters.
   Maximum documents saved in KVStore	Defines the maximum number of documents that can be saved in a single batch to a KVStore collection.
   Maximum threat artifacts	Defines the maximum number of threat artifacts returned for unfiltered searches on the Threat Artifacts dashboard. The default value is 10000. This setting is managed in the `threat_artifacts_max` macro editor.
   Override email alert action	Overrides the email alert action settings to allow users to send findings using email through adaptive response actions.
   Realtime indexing	Turns on or turns off real time indexing. Turning on your real-time searches to run after the events are indexed can greatly improve indexing performance. You can use real time indexing when up-to-the-second accuracy is not needed.
   Risk severity range map	Adjusts the numeric value for the risk scores to tune the severity level based on the specific requirements of your environment.
   Regex for domain extraction from URL	Extracts the domain (url_domain) from the URL.
   Short lived account length	Identifies the records of account creation and deletion as anomalous. An account creation and deletion record that falls within this threshold is anomalous.
   Sparkline span (Category analysis)	Configures the bucket time span for sparklines displayed in the dashboard: HTTP category analysis.
   Sparkline span (New domain analysis)	Configures the bucket time span for sparklines displayed in the dashboard: New domain analysis.
   Sparkline span (User agent analysis)	Configures the bucket time span for sparklines displayed in the dashboard: HTTP user agent analysis.
   Sparkline start time (Category analysis)	Configures the start time for sparklines displayed on the dashboard: HTTP category analysis.
   Sparkline start time (User agent analysis)	Configures the start time for sparklines displayed in the dashboard: HTTP user agent analysis.
   Top 1 million site source	Displays the source for the top 1 million sites.
   Tstats macro distribution	Determines if the tstats macros must be distributed.
   Tstats or summaries macro	Determines whether the tstats or summariesonly macro searches only accelerated events.
   Website watchlist search	Lists watchlisted websites used by the detection: Watchlisted events.