Hey Folks,
http://docs.splunk.com/Documentation/Splunk/latest/admin/Eventhashing
After reading the documentation on event hash and testing it out, it seem pretty easy to configuration. The only question I have is around security. According the quoted below on event hashing documentation there are two hashes (one created at search time and another created at index time) I'm assuming that the search time hash is ephemeral as it is calculated at search time, and that index time hash is stored somewhere on disk.
"When event hashing is enabled, Splunk hashes events with a SHA256 hash just before index time. When each event is displayed at search time, a hash is calculated and compared to that event's index time hash"
So the two questions I have are:
1) Is the hash generated at search time ephemeral? and how long does it remain in existence if so?
2) Where are the index time hashes stored?
Thanks
Mike.
Event hashing been deprecated since Splunk 5.0, but the good news is that Splunk 6.3 has released the latest feature called Data Integrity which replaces Event Hashing. The new Data Integrity feature supports both distributed search and cluster configurations. Here is a blog post for more in depth information regarding the new Data Integrity feature:
http://blogs.splunk.com/2015/10/28/data-integrity-is-back-baby/
Splunk Documentation on how to enable Data Integrity
http://docs.splunk.com/Documentation/Splunk/6.3.0/Security/Dataintegritycontrol