UEBA on-premises service limits
Defines service limits for User and Entity Behavior Analytics (UEBA) to ensure predictable performance, scalability, and cost management across Splunk environments.
User and entity behavior analytics (UEBA) analyzes large volumes of data to detect unusual behavior and potential security threats. To make sure your environment stays fast, reliable, and cost-efficient, UEBA enforces service limits that define how much data and processing the system can handle.
These limits help you:
- Keep your environment running smoothly and predictably.
- Maintain analysis quality without overloading your system.
- Scale UEBA as your organization grows.
- Stay aligned with compliance and governance requirements.
- Control costs and make the most of your available resources.
By setting these limits, UEBA ensures consistent performance and a stable experience across all customer environments.
Service component limits
| Service limit category | Limitation value |
|---|---|
| Entity lists | 500 across identities and assets of all types, such as source, category, and pattern match |
| Finding exclusions | 2,000 across all types, such as field match and lookup |