Hi all according whith docs:
seems very easy to turn on the hashing features by create the new audit.conf and put inside [eventHashing] directive.
After restarting the splukd service nothing happens and i can't see no error in spluk log folder.
Help me plz
Have you verified eventHashing is working via search? This can be done by creating a non-underscore field for _decoration. Try:
* | head 100 | eval decoration=_decoration
This search should give you a decoration field with one or more of the following values: