Hi all,
I had configured the data integrity on index=index_test of my Splunk infrastructure following the instruction on https://docs.splunk.com/Documentation/Splunk/6.3.3/Security/Dataintegritycontrol
Now I have the l1Hashes and l2Hash files as expected and I deleted, for testing, a single log from the index_test (from GUI whit "delete" command). But after performing a check-integrity command
./splunk check-integrity -index index_test
I have no "failure", all check goes ok.
Is this an expected behaviour? My expectation was that erasing a single log would impact the "integrity" of the logs causing a failure on the integrity check. I'm missing something? Someone has experiences on this topic?
Thanks very much,
Gabriele
... View more