Splunk® Enterprise

Admin Manual

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Configure archive signing

You can use archive signing to sign your Splunk data when it gets archived (rolled from cold to frozen). An archive signature is a hash signature of all the data in the archived bucket. Archive signing lets you verify integrity when you restore an archive.

See "Set a retirement and archiving policy" for general information on archiving works.

How archive signing works

By default, Splunk does not archive data when it rolls to frozen. It merely deletes it from the index. You can, however, configure Splunk to archive the data before removing it from the index. There are two ways to set up archiving:

See "Archive indexed data" to learn how to configure data archiving.

To use archive signing, you must specify a custom archiving script; you cannot use it if you choose to have Splunk perform the archiving automatically. You add signing to your script by invoking the signtool -s utility.

Splunk verifies archived data signatures automatically upon restoring the archive. You can also verify signatures manually by using signtool -v <archive_path>.

Add signing to your custom script

You can add signing to any custom archiving script. You just add a single line for the signtool -s utility. Place this line anywhere after the data formatting lines in the script, but before the lines that copy the data to the archive.

See "Archive indexed data" for details on creating a archiving script.

Syntax summary

Use signtool, located in $SPLUNK_HOME/bin, to sign buckets during archiving. You can also use it later to verify the integrity of an archive.

To sign:

signtool [- s | --sign] <archive_path>

To verify:

signtool [-v | --verify] <archive_path>

Use SSL to encrypt and authenticate data from forwarders
Configure IT data block signing

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters