Configure archive signing
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Configure archive signing
Use archive signing to sign your Splunk data as it is archived (moved from colddb to frozen). This lets you verify integrity when you restore an archive. Configure the size of the slice by setting your automated archiving policies.
How archive signing works
Data is archived from the colddb to frozen when either:
- the size of youe index reaches a maximum that you specify.
- data in your index reaches a certain age.
Specify automated archiving policies to define how your data is archived.
Splunk ships with two standard scripts, but you may use your ownData is archived from the colddb to frozen with a coldToFrozen script that you specify. The coldToFrozen script tells Splunk how to format your data (gz, raw, etc..), and where to archive it. Archive signing happens after the coldToFrozen script formats your data into its archive format, and then the data is moved to the archive location that you specified according to your archive policy.
An archive signature is a hash signature of all the data in the data slice.
To invoke archive signing, use the standalone signtool utility. Add signtool -s <path_of_archive> to the coldToFrozen script anywhere after the data formatting lines, but before the lines that copy your data to your archive. See the section below on configuring coldToFrozen scripts.
Verify archived data signatures
Splunk verifies archived data signatures automatically upon restoring. You can verify signatures manually by using signtool -v <path_to_archive>.
Configure coldToFrozen scripts
Configure any coldToFrozen script by adding a line for the signtool utility.
Note: If you use a standard Splunk archiving script, either rename the script or move it to another location (and specify that location in indexes.conf) to avoid having changes overwritten when you upgrade Splunk.
Standard Splunk archiving scripts
The two example archiving scripts that are shipped with Splunk are shown below with archive signing.
Splunk's two archiving scripts are:
compressedExport.sh
This script exports files with the tsidx files compressed as gz.
#!/bin/sh gzip $1/*.tsidx signtool -s <path_to_archive> # replace this with the path to the archive you want signed cp -r $1 /opt/tmp/myarchive #replace this with your archive directory
This script is shipped as an example, compressedExport.sh.example.
flatfileExport.sh
This script exports files as a flat text file.
#!/bin/sh
exporttool $1 ${1}/index.export meta::all
rm -rf ${1}/*.data
rm -rf ${1}/rawdata
rm -rf ${1}/*.tsidx
signtool -s <path_to_archive> # replace this with the path to the archive you want signed
cp -r $1 /opt/tmp/myarchive #replace this with your archive directory
This script is shipped as an example, flatfileExport.sh.example.
Note: Although these scripts can be used with a little editing, we strongly suggest that you only use them as a guide. Any script you configure Splunk to run can impact the performance of your Splunk instance, so make sure you optimize it for your environment.
Your own custom scripts
You can also use your own scripts to move data from cold to frozen.
Sign or verify your data slices
Use signtool located in $SPLUNK_HOME/etc/bin}} to sign data slices as they are archived or verify the integrity of an archive.
Syntax
To sign:
signtool [- s | -- sign] archive_path
To verify:
signtool [-v | --verify] archive_path
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.