UEBA cloud service limits
This topic describes the defined service limits for User and Entity Behavior Analytics (UEBA) Cloud. These limits help ensure consistent performance, resource efficiency, and predictable scaling across all tenants.
User and entity behavior analytics (UEBA) cloud workloads analyze large volumes of events to detect anomalies and potential threats. To maintain reliable performance and predictable resource usage, Splunk Enterprise Security establishes service limits based on production telemetry and capacity modeling.
The following limits represent current validated thresholds for event processing and data model scale. They are subject to change as the platform evolves and new performance data becomes available.
Defined service limits
The following limits apply per tenant:
| Service limit category | Limitation value |
|---|---|
| Event throughput (EPS) | 45,000–60,000 EPS |
| Unique users | Up to 3,000,000 |
| Unique devices | Up to 3,000,000 |
| Entity lists | 500 across identities and assets of all types, such as source, category, and pattern match |
| Finding exclusions | 2,000 across all types, such as field match and lookup |
Guidance for users
These limits are intended as practical operational guidelines. If your organization anticipates significantly higher event throughput or entity counts, contact Splunk Support to discuss scalability options.
Service limits are periodically reviewed and can be adjusted based on platform improvements and evolving usage patterns.