Difference between Event hashing and IT block signing

Path Finder

Hi all,

I would like to know the difference between Event Hashing & IT block signing on measures like which is more secure, better on performance.

Also can someone guide me to a script for signing archive data as well. It would be of great help.

Thank you


Tags (2)
0 Karma

Ultra Champion

I think the docs say it pretty well regarding performance and differences. If your installation supports Block Signing, go with that. For signing of archived data, see below as well.


Block signing.

Performance implications
Because of the additional processing overhead, indexing with IT data signing enabled can negatively affect indexing performance. Smaller blocks mean more blocks to sign and larger blocks require more work on display. Experiment with block size to determine optimal performance, as small events can effectively use slightly larger blocks. The block size setting is a maximum, you may have smaller blocks if you are not indexing enough events to fill a block in a few seconds. This allows incoming events to be signed even when the indexing rate is very slow.

Turning IT data signing ON slows indexing.
Setting the blockSignSize attribute to high integer values (such as 1000) slows indexing performance.
For best performance, set blockSignSize to a value near 100.

Distributed search
Block signing is not supported for distributed search.

Event Hashing.

About event hashing
Event hashing provides a lightweight way to detect if events have been tampered with between index time and search time.

Event hashes aren't cryptographically secure. Someone could tamper with an event if they have physical access to a machine's file system.

You should use event hashing only if you don't have the capability to run Splunk's IT data block signing feature; individual event hashing is more resource intensive than data block signing.

Note: Event hashing is not available for cluster configurations.

Archiving script.

Splunk ships with an example archiving script that you can edit, $SPLUNK_HOME/bin/

Signing archived data.

You can add signing to any custom archiving script. You just add a single line for the signtool -s utility. Place this line anywhere after the data formatting lines in the script, but before the lines that copy the data to the archive.