Modify configuration files using Splunk ES UI

You can manage configuration settings by modifying specific .conf files using the Splunk Enterprise Security user interface (UI). Following are some of the configuration files that you can modify using the Splunk ES UI. These configuration files are displayed by stanzas with the fields included as radio buttons and text or number inputs.

  • mc_database.conf

  • mc_rate_limit.conf

  • mc_sa_spl_context.conf

  • mc_search.conf

  • es_ai_settings.conf

Note: Not all fields or configuration files can be updated using the ES UI since managing those settings without the assistance of Splunk Support might cause errors. You can contact Splunk Customer Support portal if you want to modify configuration files or fields that are not listed in the System configuration page.

Edit configuration files using the ES UI

  1. In the Splunk Enterprise Security app, select the Configure tab.
  2. Select General settings and then select System configuration.
    Note: Updating system settings in the configuration files might impact the performance of your security operations center (SOC).
  3. In the Files search filter, search for the configuration file that you want to modify. For example, es_ai_settings.conf.
  4. Identify and edit the fields that you want to modify.
  5. Select Save.
    Note: It might take approximately 10 minutes for the saved configuration settings to take effect. Alternatively, you can select Save and reload or just select Reload to apply the modified configuration settings.

Manage resources by assigning search jobs to a workload pool

Optimize resource usage and search performance by assigning search jobs from the analyst queue to a specific workload pool. Running multiple searches concurrently can create a bottleneck and deplete search capacity. When you configure a workload pool, search jobs from the analyst queue can be scheduled to run within the resource limits of the workload pool. Manage the workload to run searches helps to cap concurrent resource usage of CPU, memory, and so on.
Note: Configuring a workload pool to run search jobs is optional if you want to optimize your system resources.
  1. In the Splunk Enterprise Security app, select the Configure tab.
  2. Select General settings and then select System configuration.
    Note: Updating system settings in the configuration files might impact the performance of your security operations center (SOC).
  3. In the Files search filter, search for mc_search.conf.
  4. Navigate to the workload_pool setting.
  5. Enter a name for your workload pool.
  6. Select Save.
    Note: It might take approximately 10 minutes for the saved configuration settings to take effect. Alternatively, you can select Save and reload or just select Reload to apply the modified configuration settings.