Hash Replace

The Hash Replace function in Observo AI allows you to replace a field with a hash value.

Purpose

To use the Hash Replace function, define conditions that determine which event fields should be hashed.

Usage

Select Hash Replace transform. Add Name (required) and Description (optional).

General Configuration:

  • Bypass Transform: Defaults to disabled. When enabled, this transform will be bypassed entirely, allowing the event to pass through without any modifications.

  • Add Filter Conditions: Defaults to disabled. When enabled, it allows events to filter through conditions. Only events that meet the true condition will be processed; all others will bypass this transform. Based on AND/OR conditions, "+Rule" or "+Group" buttons.

Hash Replace: Enabled: Defaults to enabled, meaning it does evaluate all events. Toggle Enabled off to prevent event processing to feed data to the downstream Transforms.

Hash Key Name: New Hash key name to be added to the message. All the replace_keys hashes will be added under this key name.

Sample Rate: At least 1/sample_rate messages will have both the original fields and the value of hashes for those fields. For the rest of the message, original fields will be removed and only hashes will be added. Defaults to 100.

Field Name: A list of fields for replacing with a hash. First field entry added by default. Click the Add button to add a new field.

Field Name Note: For example, if replace_keys = [\"host\", \"region\", \"user.id\"]\ , then all incoming events that have the keys \ host and region will have hashes added and for sample_rate we will have original fields \ and for rest of the events they keys will be removed.

Examples

Scenario: Replace the hostname field with a hash value.

Hash Replace

Enabled
Hash key Name
Sample Rate
Field Name

Toggled On

my_hashes

100

hostname

Input

{
"appname":"devankoshal",
"facility":"lpr",
"hostname":"we.de",
"message":"Pretty pretty pretty good",
"msgid":"ID591",
"procid":3826,
"severity":"crit",
"timestamp":"2025-01-27T17:53:46.398Z",
"version":2
}

Output

{
"appname":"devankoshal",
"facility":"lpr",
"hostname":"we.de",
"message":"Pretty pretty pretty good",
"msgid":"ID591",
"my_hashes":{
"hostname":"cc5c6304220e6fd5"
},
"procid":3826,
"severity":"crit",
"timestamp":"2025-01-27T17:53:46.398Z",
"version":2
}

Results: The hostname is hashed.

Related Functions

  • Sensitive Data Mask: Obfuscate sensitive information in your data streams.

  • Encode Fields: Encode field values in log events.

  • Decode Fields: Decode field values in log events.

PreviousFilter EventsNextEncode Fields

Last updated

Was this helpful?