Match Hashed Values in Specific Fields

Match events where a field equals a hashed value using the hashMatch() function

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] result{{Result Set}} repo --> 1 1 --> result
logscale
ssn =~ hashMatch("456-78-9012", salt="salt1")

Introduction

The hashMatch() function can be used to filter events by comparing a field value against a hashed string. This is particularly useful when working with sensitive data where the original values have been hashed for security purposes.

In this example, the hashMatch() function is used to filter events where the ssn field matches the hash of a specific value, using a specified salt value for the hashing. A salt is a random string added to the data before hashing to make the hash more secure.

Note that the example uses the hashMatch() function with the comparison operator =~ to match against a specific field.

Example incoming data might look like this:

@timestampactionssnuser_id
2025-09-01T10:00:00Zprofile_updateC4ZkaokbIUltItryWgtdRmIdCCnsWVhhrOg3GDrTkx8user1
2025-09-01T10:00:05Znew_accountC4ZkaokbIUltItryWgtdRmIdCCnsWVhhrOg3GDrTkx8user2
2025-09-01T10:00:10Zprofile_viewnaHQMPbzY6pLiFG8aiJzfxw5Gj4mLQ+bf2b0AJv8OPQuser3

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] result{{Result Set}} repo --> 1 1 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    ssn =~ hashMatch("456-78-9012", salt="salt1")

    Filters events where the ssn field value matches the hash of 456-78-9012. The hashMatch() function creates a hash using the specified string and salt value (salt1), then compares it against the value in the ssn field.

    The salt parameter is required and should match the salt used when the original data was hashed (in this case salt1). For more information, see Hash Field Values Using hashRewrite() .

  3. Event Result set.

Summary and Results

The query is used to find events where a hashed field matches an expected value without exposing the original sensitive data.

This query is useful, for example, to track specific user activities in logs where sensitive information like social security numbers are stored in hashed form for security compliance.

Sample output from the incoming example data:

@timestampactionssnuser_id
2025-09-01T10:00:10Zprofile_viewnaHQMPbzY6pLiFG8aiJzfxw5Gj4mLQ+bf2b0AJv8OPQuser3

Only events where the hashed value in ssn matches the hash of 456-78-9012 are included in the results.

This example demonstrates searching for specific hashed values in a named field. For searching hashed values anywhere in event data, see Match Events Containing Specific Hash Values. To learn how to create hashed values that can be searched this way, see Hash Field Values Using hashRewrite() .