https://community.splunk.com/t5/Getting-Data-In/How-to-test-data-integrity/m-p/617508#M106614 <P>Hello&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;</P><P>Thank you very much for the answer I really appreciate it <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>May be I wasn't clear but yeah I totally used data integrity control on the indexer but thank you for the remarque.</P><P>I did what you said and I do have an unsuccessful security check, thank you very much for that. but since the files in raw data are either .dat or .zst files I can't really understand what m deleting. is there a way to understand what i'm deleting ?</P><P>thank you again&nbsp;</P><P>&nbsp;</P> Tue, 18 Oct 2022 09:35:48 GMT aatik5u 2022-10-18T09:35:48Z https://community.splunk.com/t5/Getting-Data-In/How-to-test-data-integrity/m-p/617505#M106612 <P>Hello there,</P> <P>Here is the context, I have a Splunk test environment, one indexer one search head and one forwarder. I'm in charge of finding a way to guarantee the integrity of the events available on the search head.</P> <P>My first question is, how to test data integrity control? I implemented it based on Splunk documentation, I tried to run Splunk clean and use the delete command (now I know that the event is not deleted from the index using delete),&nbsp; and I edited the log files. But the integrity check is always successful. In an other words, in what case does the integrity check becomes unsuccessful?&nbsp;</P> <P>My second question is, I changed the auth.log file, I mean this can be super dangerous but Splunk just displays both events, before the edit and after the edit. How can I use Splunk to detect such changes?</P> <P>Any help would be appreciated, thank you so much for your time&nbsp;</P> Tue, 18 Oct 2022 14:26:27 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-test-data-integrity/m-p/617505#M106612 aatik5u 2022-10-18T14:26:27Z https://community.splunk.com/t5/Getting-Data-In/How-to-test-data-integrity/m-p/617506#M106613 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/244402">@aatik5u</a>,</P><P>as you can read at&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/9.0.1/Security/Dataintegritycontrol" target="_blank">https://docs.splunk.com/Documentation/Splunk/9.0.1/Security/Dataintegritycontrol</A>&nbsp;and&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/9.0.1/Admin/ChecktheintegrityofyourSplunksoftwarefiles" target="_blank">https://docs.splunk.com/Documentation/Splunk/9.0.1/Admin/ChecktheintegrityofyourSplunksoftwarefiles</A>&nbsp;,Data integrity is check on Indexers (that contain data) and not on Search Heads.</P><P>So deleting an event by CLI you don't modify Data integrity because the events remain in the index with a deleted status.</P><P>If you want to check Data Integrity, you have to go in the folder of one index with Data Integrity Check enabled and manually modify some row data.</P><P>Then performing the Integrity Check you'll have an error.</P><P>Ciao.</P><P>Giuseppe</P> Tue, 18 Oct 2022 09:21:00 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-test-data-integrity/m-p/617506#M106613 gcusello 2022-10-18T09:21:00Z https://community.splunk.com/t5/Getting-Data-In/How-to-test-data-integrity/m-p/617508#M106614 <P>Hello&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;</P><P>Thank you very much for the answer I really appreciate it <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>May be I wasn't clear but yeah I totally used data integrity control on the indexer but thank you for the remarque.</P><P>I did what you said and I do have an unsuccessful security check, thank you very much for that. but since the files in raw data are either .dat or .zst files I can't really understand what m deleting. is there a way to understand what i'm deleting ?</P><P>thank you again&nbsp;</P><P>&nbsp;</P> Tue, 18 Oct 2022 09:35:48 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-test-data-integrity/m-p/617508#M106614 aatik5u 2022-10-18T09:35:48Z https://community.splunk.com/t5/Getting-Data-In/How-to-test-data-integrity/m-p/617509#M106615 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/244402">@aatik5u</a>,</P><P>raw data are in $SPLUNK_DB/&lt;index&gt;/colddb/db_xxxxxxx_xxxxx_x/rawdata or in&nbsp;$SPLUNK_DB/&lt;index&gt;/db/db_xxxxxxx_xxxxx_x/rawdata</P><P>Ciao.</P><P>Giuseppe</P> Tue, 18 Oct 2022 09:42:45 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-test-data-integrity/m-p/617509#M106615 gcusello 2022-10-18T09:42:45Z