This filter is used to search or extract hashes from a Message.
Supported types of hashes are:

  • MD5
  • SHA1
  • SHA256
  • SHA512


targetSTRING“main”the field of the Message that should be used for the filter (it could be main or an extra field)
extractBOOL“false”if "true" the main field of the output Message will be the extracted hash
md5BOOL“true”if "false" md5 hashes will be ignored
sha1BOOL“true”if "false" sha1 hashes will be ignored
sha256BOOL“true”if "false" sha256 hashes will be ignored
sha512BOOL“true”if "false" sha512 hashes will be ignored
... | hash(target="description", extract="true") | ...


If the extract parameter is “false”, the received Message will be propagated only if at least one hash is found in it.
Otherwise, if extract is “true” and the Message contains one or more hashes, the main field of the propagated Message will contain only the extracted hash.

If the extract parameter is “true” and the message is propagated, a new extra field is created: fulltext will contain the original target string.

If the targeted field contains multiple hashes, the filter will create and propagate multiple messages, one for each hash.


What's on this Page