https://community.splunk.com/t5/Getting-Data-In/Splunk-Data-Block-Signing/m-p/107686#M22639 <P>I would just create new indices <YOUINDEXNAME>_s and point all your new incoming data to the new indexices leaving your old ones in place. Then search across multiple indexes when needed.</YOUINDEXNAME></P> Wed, 31 Oct 2012 17:56:00 GMT bmacias84 2012-10-31T17:56:00Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Data-Block-Signing/m-p/107675#M22628 <P>Is there a way to enable data block signing WITHOUT losing all your data? I would like to enable this as stated here:<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/4.3.4/Admin/ITDataSigning">http://docs.splunk.com/Documentation/Splunk/4.3.4/Admin/ITDataSigning</A></P> <P>However, I do not want to lose the data I currently have. </P> <PRE><CODE>You now must reindex your data for this change to take effect (this will delete all of your data!): ./splunk stop ./splunk clean all .splunk start </CODE></PRE> <P>Has anyone done this? I don't care if its just for new events coming in but I cannot lose the old data...</P> <P>Thanks.</P> <P>Kevin</P> Tue, 30 Oct 2012 20:05:41 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Data-Block-Signing/m-p/107675#M22628 kholleran 2012-10-30T20:05:41Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Data-Block-Signing/m-p/107676#M22629 <P>It might be best to stop, move the existing data to a new index name (rename the directory/location for the old data), and then just have new data signed, while the old data is kept in a separate, unsigned index. If you don't clear out the index, it will still work, but your signature verification won't necessarily be valid.</P> Tue, 30 Oct 2012 22:22:25 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Data-Block-Signing/m-p/107676#M22629 gkanapathy 2012-10-30T22:22:25Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Data-Block-Signing/m-p/107677#M22630 <P>I have been reading some other questions, though none really answer my questions, then perhaps raise the validity of this course of action to achieve what I want. My goal is for PCI compliance for a way to illustrate that no log data has been changed. We have alerts and monitor any kind of access to this data, but I want to be able to illustrate through a hash that no data has changed should our QSA require that...</P> <P>Thanks!</P> Tue, 30 Oct 2012 22:22:26 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Data-Block-Signing/m-p/107677#M22630 kholleran 2012-10-30T22:22:26Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Data-Block-Signing/m-p/107678#M22631 <P>Yes, there is a way to enable blocksigning without losing your existing data and block Signing only new events. do you want to blocksign all indexes? You are also aware of blocksign is not supported in a distributed search configuration and has performance implications.</P> Tue, 30 Oct 2012 22:22:26 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Data-Block-Signing/m-p/107678#M22631 bmacias84 2012-10-30T22:22:26Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Data-Block-Signing/m-p/107679#M22632 <P>Note that you can actually block sign in a distributed environment, but the only way to verify the signatures is to log into each individual indexer and verify the data on each one independently.</P> Tue, 30 Oct 2012 22:23:17 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Data-Block-Signing/m-p/107679#M22632 gkanapathy 2012-10-30T22:23:17Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Data-Block-Signing/m-p/107680#M22633 <P>@gkanapathy, Correct me if I am wrong that due to the fact that the blockSignatureDatabase is local to the indexer?(clarification for me)</P> Tue, 30 Oct 2012 22:30:41 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Data-Block-Signing/m-p/107680#M22633 bmacias84 2012-10-30T22:30:41Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Data-Block-Signing/m-p/107681#M22634 <P>@bmacias84, yes, that is correct.</P> Tue, 30 Oct 2012 22:33:00 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Data-Block-Signing/m-p/107681#M22634 gkanapathy 2012-10-30T22:33:00Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Data-Block-Signing/m-p/107682#M22635 <P>Thanks for your help. How do I move the existing data? I have found a few articles but I am a little nervous about this so I was hoping you could point me to a good resource. Thanks!</P> Wed, 31 Oct 2012 12:23:44 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Data-Block-Signing/m-p/107682#M22635 kholleran 2012-10-31T12:23:44Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Data-Block-Signing/m-p/107683#M22636 <P>just move/rename the directory</P> Wed, 31 Oct 2012 15:22:29 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Data-Block-Signing/m-p/107683#M22636 gkanapathy 2012-10-31T15:22:29Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Data-Block-Signing/m-p/107684#M22637 <P>Follow this document <A href="http://docs.splunk.com/Documentation/Splunk/5.0/Indexer/Moveanindex">http://docs.splunk.com/Documentation/Splunk/5.0/Indexer/Moveanindex</A>. I done this a few times with no problem.</P> Wed, 31 Oct 2012 15:28:23 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Data-Block-Signing/m-p/107684#M22637 bmacias84 2012-10-31T15:28:23Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Data-Block-Signing/m-p/107685#M22638 <P>Just to clarify, by stopping splunk, renaming the directory structure the data is in, it will then re-create the original (if I don't change the SPLUNK_DB variable)? Of course I will also add in the data block signing at the same time prior to restarting splunk. However, will this just set aside the old data or will this set it as a separate index that can still be searchable if need be? Is there a way to just make this an index called 'pre-data-signing' and be able to search on it if it is needed? Thanks for all your help.</P> Wed, 31 Oct 2012 17:31:01 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Data-Block-Signing/m-p/107685#M22638 kholleran 2012-10-31T17:31:01Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Data-Block-Signing/m-p/107686#M22639 <P>I would just create new indices <YOUINDEXNAME>_s and point all your new incoming data to the new indexices leaving your old ones in place. Then search across multiple indexes when needed.</YOUINDEXNAME></P> Wed, 31 Oct 2012 17:56:00 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Data-Block-Signing/m-p/107686#M22639 bmacias84 2012-10-31T17:56:00Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Data-Block-Signing/m-p/107687#M22640 <P>I ended up creating a separate index, then using a deployment app, I am pointing all my devices to the new index that has data block signing enabled.</P> <P>Thanks everyone for your help.</P> <P>Kevin</P> Mon, 12 Nov 2012 21:01:24 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Data-Block-Signing/m-p/107687#M22640 kholleran 2012-11-12T21:01:24Z