Configure archive signing
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Configure archive signing
You can use archive signing to sign your Splunk data when it gets archived (rolled from cold to frozen). An archive signature is a hash signature of all the data in the archived bucket. Archive signing lets you verify integrity when you restore an archive.
See "Set a retirement and archiving policy" for general information on archiving works.
How archive signing works
By default, Splunk does not archive data when it rolls to frozen. It merely deletes it from the index. You can, however, configure Splunk to archive the data before removing it from the index. There are two ways to set up archiving:
See "Archive indexed data" to learn how to configure data archiving.
To use archive signing, you must specify a custom archiving script; you cannot use it if you choose to have Splunk perform the archiving automatically. You add signing to your script by invoking the signtool -s utility.
Splunk verifies archived data signatures automatically upon restoring the archive. You can also verify signatures manually by using signtool -v <archive_path>.
Add signing to your custom script
You can add signing to any custom archiving script. You just add a single line for the signtool -s utility. Place this line anywhere after the data formatting lines in the script, but before the lines that copy the data to the archive.
See "Archive indexed data" for details on creating a archiving script.
Syntax summary
Use signtool, located in $SPLUNK_HOME/bin, to sign buckets during archiving. You can also use it later to verify the integrity of an archive.
To sign:
signtool [- s | --sign] <archive_path>
To verify:
signtool [-v | --verify] <archive_path>
This documentation applies to the following versions of Splunk: 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 View the Article History for its revisions.