Match Hashed Values in Specific Fields

Match events where a field equals a hashed value using the hashMatch() function

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] result{{Result Set}} repo --> 1 1 --> result
logscale
ssn =~ hashMatch("12345678", salt="salt1")

Introduction

The hashMatch() function can be used to filter events by comparing a field value against a hashed string. This is particularly useful when working with sensitive data where the original values have been hashed for security purposes.

In this example, the hashMatch() function is used to filter events where the ssn field matches the hash of a specific value, using a specified salt value for the hashing. A salt is a random string added to the data before hashing to make the hash more secure.

Note that the example uses the hashMatch() function with the comparison operator =~ to match against a specific field.

Example incoming data might look like this:

@timestampssnnameaction
2025-08-06T10:00:00Za1b2c3d4e5f6g7h8i9John Doelogin
2025-08-06T10:01:00Zj1k2l3m4n5o6p7q8r9Jane Smithlogout
2025-08-06T10:02:00Zx1y2z3a4b5c6d7e8f9Bob Wilsonlogin
2025-08-06T10:03:00Za1b2c3d4e5f6g7h8i9John Doeupdate
2025-08-06T10:04:00Zm1n2o3p4q5r6s7t8u9Alice Brownlogin

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] result{{Result Set}} repo --> 1 1 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    ssn =~ hashMatch("12345678", salt="salt1")

    Filters events where the ssn field value matches the hash of 12345678. The hashMatch() function creates a hash using the specified string and salt value (salt1), then compares it against the value in the ssn field.

    The salt parameter is required and should match the salt used when the original data was hashed.

  3. Event Result set.

Summary and Results

The query is used to find events where a hashed field matches an expected value without exposing the original sensitive data.

This query is useful, for example, to track specific user activities in logs where sensitive information like social security numbers are stored in hashed form for security compliance.

Sample output from the incoming example data:

@timestampssnnameaction
2025-08-06T10:00:00Za1b2c3d4e5f6g7h8i9John Doelogin
2025-08-06T10:03:00Za1b2c3d4e5f6g7h8i9John Doeupdate

Only events where the hashed value in ssn matches the hash of 12345678 are included in the results.

This example demonstrates searching for specific hashed values in a named field. For searching hashed values anywhere in event data, see Match Events Containing Specific Hash Values. To learn how to create hashed values that can be searched this way, see Hash Field Values Using hashRewrite() .