Splunk® Enterprise

Search Reference

Splunk Enterprise version 7.2 is no longer supported as of April 30, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Cryptographic functions

The following list contains the functions that you can use to compute the secure hash of a field with string values or literal string values.

For information about using string and numeric fields in functions, and nesting functions, see Evaluation functions.

md5(str)

Description

This function computes and returns the MD5 hash of a string value.

Usage

You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions.

Examples

The following example returns a new field n with a message-digest (MD5) 128-bit hash value for the phrase "Hello World".

... | eval n=md5("Hello World")

The results look like this:

_time n
2025-01-02 09:23:00 b10a8db164e0754105b7a99be72e3fe5


The following example creates a large random string.

| makeresults count=32768 | eval message=md5("". random()) | stats values(message) as message | eval message = mvjoin(message, "")

  • The makeresults command creates 32768 results with timestamps.
  • The eval command creates a new field called message:
    • The random function returns a random numeric field value for each of the 32768 results. The "". makes the numeric number generated by the random function into a string value.
    • The md5 function creates a 128-bit hash value from the string value.
    • The results of the md5 function are placed into the message field created by the eval command.
  • The stats command with the values function is used to convert the individual random values into one multivalue result.
  • The eval command with the mvjoin function is used to combine the multivalue entry into a single value.

sha1(str)

Description

This function computes and returns the secure hash of a string value based on the FIPS compliant SHA-1 hash function.

Usage

You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions.

Examples

The following example creates a secure hash value for the string phrase:

... | eval n=sha1("Put that in your | and Splunk it.")


The following data shows a set of string values in the ID field:

_time name ID
2025-01-02 09:09:03 Charlie Garcia 222-333-4444
2025-01-02 09:09:03 Taylor Zhang 444-11-8888
2025-01-02 09:09:03 Sasha Patel 555-22-9999
2025-01-02 09:09:03 Nyah Aamadu 777-88-9999

You can use the sha1 cryptographic function to create secure hash values for the values in the ID field:

... | eval hashID=sha1(ID)

The results look like this:

_time name ID hashID
2025-01-02 09:09:03 Charlie Garcia 222-333-4444 274ab92ea358c9b31f615290809085a58578b057
2025-01-02 09:09:03 Taylor Zhang 444-11-8888 ff8f94405a9089d0d0749ce9f729921c4f7f31fd
2025-01-02 09:09:03 Sasha Patel 555-22-9999 b67e7f2e0ad4e744e5f7b6b148249bad13c794ce
2025-01-02 09:09:03 Nyah Aamadu 777-88-9999 205c1cd079019f46003947a12662b3d5a17f0d5f

sha256(str)

Description

This function computes and returns the secure hash of a string value based on the FIPS compliant SHA-256 (SHA-2 family) hash function.

Usage

You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions.

Example

... | eval n=sha256("Can you SPL?")

sha512(str)

Description

This function computes and returns the secure hash of a string value based on the FIPS compliant SHA-512 (SHA-2 family) hash function.

Usage

You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions.

Example

... | eval n=sha512("You bet your sweet SaaS.")

Last modified on 02 January, 2025
Conversion functions   Date and Time functions

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.11, 8.1.13, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0, 8.1.10, 8.1.12, 8.1.14, 8.1.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters