Because of the additional processing overhead, indexing with IT data signing enabled can negatively affect indexing performance. Smaller blocks mean more blocks to sign and larger blocks require more work on display. Experiment with block size to determine optimal performance, as small events can effectively use slightly larger blocks. The block size setting is a maximum, you may have smaller blocks if you are not indexing enough events to fill a block in a few seconds. This allows incoming events to be signed even when the indexing rate is very slow.
Turning IT data signing ON slows indexing.
Setting the blockSignSize attribute to high integer values (such as 1000) slows indexing performance.
For best performance, set blockSignSize to a value near 100.
Block signing is not supported for distributed search.
About event hashing
Event hashing provides a lightweight way to detect if events have been tampered with between index time and search time.
Event hashes aren't cryptographically secure. Someone could tamper with an event if they have physical access to a machine's file system.
You should use event hashing only if you don't have the capability to run Splunk's IT data block signing feature; individual event hashing is more resource intensive than data block signing.
Note: Event hashing is not available for cluster configurations.
You can add signing to any custom archiving script. You just add a single line for the signtool -s utility. Place this line anywhere after the data formatting lines in the script, but before the lines that copy the data to the archive.