Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Distributed Search Validate Audit Events
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Is it possible to validate audit events from a search head on search peers?
index=_audit splunk_server="host" | audit
And as per the docs data blocks can only be validated on the indexer itself?
Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, you cannot do this from a search head. Validation of audit events relies on linking events together so they form a chain where each event points to the previous event, and so on. When you issue a search from a search head, the search head is responsible for bringing all events from all search peers together and show them in whatever order you chose. When doing this, events from different search peers can and will be mixed in the search results, which results in that the search head won't be able to validate anything. The alternative would be for the search head to retrieve a bunch of extra events and hope that it has the correct certificates/keys for performing the validation, but that could very quickly get messy, especially considering that more complex searches would include commands that would cause search peers to return their results to the search head early in the search (head is an example of a command that will cause this behaviour for instance).
I agree with you that it would be elegant if the search peers could somehow validate the events before returning them to the search head, however this is as far as I know not currently possible.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, you cannot do this from a search head. Validation of audit events relies on linking events together so they form a chain where each event points to the previous event, and so on. When you issue a search from a search head, the search head is responsible for bringing all events from all search peers together and show them in whatever order you chose. When doing this, events from different search peers can and will be mixed in the search results, which results in that the search head won't be able to validate anything. The alternative would be for the search head to retrieve a bunch of extra events and hope that it has the correct certificates/keys for performing the validation, but that could very quickly get messy, especially considering that more complex searches would include commands that would cause search peers to return their results to the search head early in the search (head is an example of a command that will cause this behaviour for instance).
I agree with you that it would be elegant if the search peers could somehow validate the events before returning them to the search head, however this is as far as I know not currently possible.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, great help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
Data Management Digest – May 2026
