Manage data integrity: Would erasing a single log ...

gascar · ‎02-27-2018

Hi all,

I had configured the data integrity on index=index_test of my Splunk infrastructure following the instruction on https://docs.splunk.com/Documentation/Splunk/6.3.3/Security/Dataintegritycontrol

Now I have the l1Hashes and l2Hash files as expected and I deleted, for testing, a single log from the index_test (from GUI whit "delete" command). But after performing a check-integrity command

 ./splunk check-integrity -index index_test

I have no "failure", all check goes ok.
Is this an expected behaviour? My expectation was that erasing a single log would impact the "integrity" of the logs causing a failure on the integrity check. I'm missing something? Someone has experiences on this topic?

Thanks very much,
Gabriele

starcher · ‎03-03-2018

That’s not what the “delete” command does. It doesn’t truly delete anything. It marks events as not searchable. File system hashes are meant to catch OS level changes outside of Splunk.

Manage data integrity: Would erasing a single log would impact the "integrity" of the logs causing a failure on the integrity check?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation