Match Events Containing Specific Hash Values

Match events containing a specific hashed value using the hashMatch() function

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] result{{Result Set}} repo --> 1 1 --> result
logscale
hashMatch("12345678", salt="salt1")

Introduction

The hashMatch() function can be used to filter events by matching a specific value against hashed data in your events. It creates a hash of the provided value using the specified salt and matches it against the event data. A salt is a random string added to the data before hashing to make the hash more secure.

In this example, the hashMatch() function is used to find events where the value 12345678 appears in the event data as a hash created with the salt equal to salt1.

Example incoming data might look like this:

@timestamp@rawstring
2025-09-01T10:00:00ZUser logged in with hash:a1b2c3d4e5f6g7h8i9
2025-09-01T10:00:05ZFailed login attempt hash:f6e5d4c3b2a1
2025-09-01T10:00:10ZPassword reset requested hash:h9i8g7f6e5d4

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] result{{Result Set}} repo --> 1 1 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    hashMatch("12345678", salt="salt1")

    Filters events by checking if the hash of value 12345678 (created using the salt salt1) appears anywhere in the @rawstring field. The function creates the hash using the provided value and salt, then searches for this hash pattern in the event data.

  3. Event Result set.

Summary and Results

The query is used to filter events that contain a specific hashed value in their content.

This query is useful, for example, to search for specific sensitive values in logs where the values have been hashed for security purposes, such as finding events related to a specific user ID or account number that has been hashed in the logs.

Sample output from the incoming example data:

@timestamp@rawstring
2025-09-01T10:00:00ZUser logged in with hash:a1b2c3d4e5f6g7h8i9

Note that the salt value must match the one used when the original hash was created in the data. The function searches for the hash pattern anywhere in the event data.

This example shows how to search for hashed values anywhere in event data. For searching in specific fields, see Match Hashed Values in Specific Fields. To understand how to create searchable hashed data, see Hash Field Values Using hashRewrite() .