https://community.splunk.com/t5/Splunk-Enterprise/Splunk-real-time-data-integrity-check/m-p/747339#M22340 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/310604">@esllorj</a>&nbsp;</P><P>In short - you cannot run an integrity check against buckets created before the integrity check was enabled, see the following community post:&nbsp;<A href="https://community.splunk.com/t5/Splunk-Enterprise/enable-integrity-control-on-splunk-6-3/m-p/266889#:~:text=Error%20description%20%22journal%20has%20no,Reason%3DJournal%20has%20no%20hashes" target="_blank">https://community.splunk.com/t5/Splunk-Enterprise/enable-integrity-control-on-splunk-6-3/m-p/266889#:~:text=Error%20description%20%22journal%20has%20no,Reason%3DJournal%20has%20no%20hashes</A>.</P><P>Credit to&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/36761">@dbhagi_splunk</a>&nbsp;for their answer here:</P><LI-CODE lang="markup">Data Integrity Control feature &amp; the corresponding settings/commands only apply to the data that is indexed after turning on this feature. It won't go ahead &amp; generate hashes (or even check integrity) for pre-existing data. So in the case where "./splunk check-integrity -index [index_name]" returned the following error, That means this bucket is not created/indexed with Data Integrity control feature enabled. Either it was created before you enabled it (assuming you turned on this feature for your index now) or you haven't enabled this feature for the index=index_name at all. Error description "journal has no hashes": This indicates that journal is not created with hashes enabled. Integrity check error for bucket with path=/opt/splunk/var/lib/splunk/index_name/db/db_1429532061_1429531988_278, Reason=Journal has no hashes. Same applies to "./splunk generate-hash-files -index [ index_name]" You would be able to generate (means, extracting the hashes embedded in the journal) only for data integrity control enabled buckets. This won't go and compute/create hashes for normal buckets without this feature enabled. Say you enabled the feature &amp; you created few buckets, but you lost hash files of a particular bucket (someone modified or deleted them on disk), then you can run this command so that it again extract hashes &amp; writes them to hash files (l1hashes_id_guid.dat, l2hash_id_guid.dat). Hope i answered all your questions.</LI-CODE><P><span class="lia-unicode-emoji" title=":glowing_star:">🌟</span><SPAN>&nbsp;</SPAN><STRONG>Did this answer help you?</STRONG><SPAN>&nbsp;</SPAN>If so, please consider:</P><UL><LI>Adding karma to show it was useful</LI><LI>Marking it as the solution if it resolved your issue</LI><LI>Commenting if you need any clarification</LI></UL><P>Your feedback encourages the volunteers in this community to continue contributing</P> Mon, 02 Jun 2025 09:28:45 GMT livehybrid 2025-06-02T09:28:45Z https://community.splunk.com/t5/Splunk-Enterprise/Splunk-real-time-data-integrity-check/m-p/747338#M22339 <P>Hi splunkers,&nbsp;</P><P><SPAN>My client wants to conduct a consistency check on all indexes that they collect</SPAN></P><P><SPAN>So I added enableDataIntegrityControl=1 to every index setting<BR />and&nbsp;I created a script to run the command SPLUNK_CMD check-integrity -index "$INDEX" for all indexes.</SPAN></P><P><SPAN>But that's where the problem comes from. The data we keep collecting in real time is that running a command during check-integrity fails.&nbsp; ( ex linux_os logs, window_os logs)</SPAN></P><P><SPAN>results are like this<BR /><EM><STRONG>result</STRONG></EM><BR /><EM><STRONG>server.conf/[sslConfig]/sslVerifyServerCert is false disabling certificate validation; must be set to "true" for increased security</STRONG></EM><BR /><EM><STRONG>disableSSLShutdown=0</STRONG></EM><BR /><EM><STRONG>Setting search process to have long life span: enable_search_process_long_lifespan=1</STRONG></EM><BR /><EM><STRONG>certificateStatusValidationMethod is not set, defaulting to none.</STRONG></EM><BR /><EM><STRONG>Splunk is starting with EC-SSC disabled</STRONG></EM><BR /><EM><STRONG>CMIndexId: New indexName=linux_os inserted, mapping to id=1</STRONG></EM><BR /><EM><STRONG>Operating on: idx=linux_os bucket='/opt/splunk/var/lib/splunk/linux_os/db/db_1737699472_1737699262_0'</STRONG></EM><BR /><EM><STRONG>Integrity check error for bucket with path=/opt/splunk/var/lib/splunk/linux_os/db/db_1737699472_1737699262_0, Reason=Journal has no hashes.</STRONG></EM><BR /><EM><STRONG>Operating on: idx=_audit bucket='/opt/splunk/var/lib/splunk/linux_os/db/hot_v1_1'</STRONG></EM><BR /><EM><STRONG>Total buckets checked=2, succeeded=1, failed=1</STRONG></EM><BR /><EM><STRONG>Loaded latency_tracker_log_interval with value=30 from stanza=health_reporter</STRONG></EM><BR /><EM><STRONG>Loaded aggregate_ingestion_latency_health with value=1 from stanza=health_reporter</STRONG></EM><BR /><EM><STRONG>aggregate_ingestion_latency_health with value=1 from stanza=health_reporter will enable the aggregation of ingestion latency health reporter.</STRONG></EM><BR /><EM><STRONG>Loaded ingestion_latency_send_interval_max with value=86400 from stanza=health_reporter</STRONG></EM><BR /><EM><STRONG>Loaded ingestion_latency_send_interval with value=30 from stanza=health_reporter</STRONG></EM></SPAN></P><P><SPAN>Is there a way to solve these problems?</SPAN></P> Mon, 02 Jun 2025 09:06:21 GMT https://community.splunk.com/t5/Splunk-Enterprise/Splunk-real-time-data-integrity-check/m-p/747338#M22339 esllorj 2025-06-02T09:06:21Z https://community.splunk.com/t5/Splunk-Enterprise/Splunk-real-time-data-integrity-check/m-p/747339#M22340 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/310604">@esllorj</a>&nbsp;</P><P>In short - you cannot run an integrity check against buckets created before the integrity check was enabled, see the following community post:&nbsp;<A href="https://community.splunk.com/t5/Splunk-Enterprise/enable-integrity-control-on-splunk-6-3/m-p/266889#:~:text=Error%20description%20%22journal%20has%20no,Reason%3DJournal%20has%20no%20hashes" target="_blank">https://community.splunk.com/t5/Splunk-Enterprise/enable-integrity-control-on-splunk-6-3/m-p/266889#:~:text=Error%20description%20%22journal%20has%20no,Reason%3DJournal%20has%20no%20hashes</A>.</P><P>Credit to&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/36761">@dbhagi_splunk</a>&nbsp;for their answer here:</P><LI-CODE lang="markup">Data Integrity Control feature &amp; the corresponding settings/commands only apply to the data that is indexed after turning on this feature. It won't go ahead &amp; generate hashes (or even check integrity) for pre-existing data. So in the case where "./splunk check-integrity -index [index_name]" returned the following error, That means this bucket is not created/indexed with Data Integrity control feature enabled. Either it was created before you enabled it (assuming you turned on this feature for your index now) or you haven't enabled this feature for the index=index_name at all. Error description "journal has no hashes": This indicates that journal is not created with hashes enabled. Integrity check error for bucket with path=/opt/splunk/var/lib/splunk/index_name/db/db_1429532061_1429531988_278, Reason=Journal has no hashes. Same applies to "./splunk generate-hash-files -index [ index_name]" You would be able to generate (means, extracting the hashes embedded in the journal) only for data integrity control enabled buckets. This won't go and compute/create hashes for normal buckets without this feature enabled. Say you enabled the feature &amp; you created few buckets, but you lost hash files of a particular bucket (someone modified or deleted them on disk), then you can run this command so that it again extract hashes &amp; writes them to hash files (l1hashes_id_guid.dat, l2hash_id_guid.dat). Hope i answered all your questions.</LI-CODE><P><span class="lia-unicode-emoji" title=":glowing_star:">🌟</span><SPAN>&nbsp;</SPAN><STRONG>Did this answer help you?</STRONG><SPAN>&nbsp;</SPAN>If so, please consider:</P><UL><LI>Adding karma to show it was useful</LI><LI>Marking it as the solution if it resolved your issue</LI><LI>Commenting if you need any clarification</LI></UL><P>Your feedback encourages the volunteers in this community to continue contributing</P> Mon, 02 Jun 2025 09:28:45 GMT https://community.splunk.com/t5/Splunk-Enterprise/Splunk-real-time-data-integrity-check/m-p/747339#M22340 livehybrid 2025-06-02T09:28:45Z