Calculates a secure hash of a field and uses that to match
events as a filter. See hashRewrite() on
how get hashes into events. Bits must be set to the value
applied when the hash was stored in the event.
| Parameter | Type | Required | Default Value | Description |
|---|---|---|---|---|
bits | integer | optional[a] | 256 | Hash algorithm output bits to keep. Must be a multiple of 8. |
| Minimum | 8 | |||
| Maximum | 512 | |||
field | string | optional[a] | The name of the field to look for an exact match against. If not set then @rawstring is searched for a matching substring. | |
hash | string | optional[a] | sha256 | Hash algorithm to use for the match. |
| Values | ||||
sha256 | ||||
sha512 | ||||
input[b] | string | required | A constant value to hash and then apply as the search term. | |
salt | string | required | The name of the secret salt to use. | |
[a] Optional parameters use their default value unless explicitly set. | ||||
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
inputcan be omitted; the following forms of this function are equivalent:logscale SyntaxhashMatch("value",salt="value")and:
logscale SyntaxhashMatch(input="value",salt="value")These examples show basic structure only.
hashMatch() Syntax Examples
Filter events to only match those that have the value in the
ssn field equal to the hash of
12345678
ssn =~ hashMatch("12345678", salt="salt1")Filter events to only match those that have the value of the hash of 12345678 somewhere in @rawstring
hashMatch("12345678", salt="salt1")hashMatch() Examples
Click next to an example below to get the full details.
Match Events Containing Specific Hash Values
Match events containing a specific hashed value using the
hashMatch() function
Query
hashMatch("12345678", salt="salt1")Introduction
In this example, the hashMatch() function is used
to find events where the value 12345678 appears in
the event data as a hash created with the
salt equal to
salt1.
Example incoming data might look like this:
| @timestamp | @rawstring |
|---|---|
| 2025-09-01T10:00:00Z | User logged in with hash:a1b2c3d4e5f6g7h8i9 |
| 2025-09-01T10:00:05Z | Failed login attempt hash:f6e5d4c3b2a1 |
| 2025-09-01T10:00:10Z | Password reset requested hash:h9i8g7f6e5d4 |
Step-by-Step
Starting with the source repository events.
- logscale
hashMatch("12345678", salt="salt1")Filters events by checking if the hash of value
12345678(created using the saltsalt1) appears anywhere in the @rawstring field. The function creates the hash using the provided value and salt, then searches for this hash pattern in the event data. Event Result set.
Summary and Results
The query is used to filter events that contain a specific hashed value in their content.
This query is useful, for example, to search for specific sensitive values in logs where the values have been hashed for security purposes, such as finding events related to a specific user ID or account number that has been hashed in the logs.
Sample output from the incoming example data:
| @timestamp | @rawstring |
|---|---|
| 2025-09-01T10:00:00Z | User logged in with hash:a1b2c3d4e5f6g7h8i9 |
Note that the salt value must match the one used when the original hash was created in the data. The function searches for the hash pattern anywhere in the event data.
This example shows how to search for hashed values anywhere in event
data. For searching in specific fields, see
Match Hashed Values in Specific Fields. To understand how to create
searchable hashed data, see Hash Field Values Using hashRewrite() .
Match Hashed Values in Specific Fields
Match events where a field equals a hashed value using the
hashMatch() function
Query
ssn =~ hashMatch("12345678", salt="salt1")Introduction
In this example, the hashMatch() function is used
to filter events where the ssn field matches the
hash of a specific value, using a specified
salt value for the
hashing. A salt is a random string added to the data before hashing to
make the hash more secure.
Note that the example uses the hashMatch() function
with the comparison operator =~ to match against a
specific field.
Example incoming data might look like this:
| @timestamp | ssn | name | action |
|---|---|---|---|
| 2025-08-06T10:00:00Z | a1b2c3d4e5f6g7h8i9 | John Doe | login |
| 2025-08-06T10:01:00Z | j1k2l3m4n5o6p7q8r9 | Jane Smith | logout |
| 2025-08-06T10:02:00Z | x1y2z3a4b5c6d7e8f9 | Bob Wilson | login |
| 2025-08-06T10:03:00Z | a1b2c3d4e5f6g7h8i9 | John Doe | update |
| 2025-08-06T10:04:00Z | m1n2o3p4q5r6s7t8u9 | Alice Brown | login |
Step-by-Step
Starting with the source repository events.
- logscale
ssn =~ hashMatch("12345678", salt="salt1")Filters events where the ssn field value matches the hash of
12345678. ThehashMatch()function creates a hash using the specified string andsaltvalue (salt1), then compares it against the value in the ssn field.The
saltparameter is required and should match the salt used when the original data was hashed. Event Result set.
Summary and Results
The query is used to find events where a hashed field matches an expected value without exposing the original sensitive data.
This query is useful, for example, to track specific user activities in logs where sensitive information like social security numbers are stored in hashed form for security compliance.
Sample output from the incoming example data:
| @timestamp | ssn | name | action |
|---|---|---|---|
| 2025-08-06T10:00:00Z | a1b2c3d4e5f6g7h8i9 | John Doe | login |
| 2025-08-06T10:03:00Z | a1b2c3d4e5f6g7h8i9 | John Doe | update |
Only events where the hashed value in ssn matches
the hash of 12345678 are included in the results.
This example demonstrates searching for specific hashed values in a
named field. For searching hashed values anywhere in event data, see
Match Events Containing Specific Hash Values. To learn how to create hashed values
that can be searched this way, see
Hash Field Values Using hashRewrite() .