Archive
Highlighted

issue with hashing features

New Member

Hi all according whith docs:
http://www.splunk.com/base/Documentation/latest/admin/Eventhashing

seems very easy to turn on the hashing features by create the new audit.conf and put inside [eventHashing] directive.

After restarting the splukd service nothing happens and i can't see no error in spluk log folder.
Help me plz

Tags (1)
0 Karma
Highlighted

Re: issue with hashing features

Builder

Zagor,

Have you verified eventHashing is working via search? This can be done by creating a non-underscore field for _decoration. Try:

* | head 100 | eval decoration=_decoration

This search should give you a decoration field with one or more of the following values:

decoration_audit_valid
decoration_audit_gap
decoration_audit_tampered
decoration_audit_cantvalidate