:plugin: fingerprint
:type: filter

///////////////////////////////////////////
START - GENERATED VARIABLES, DO NOT EDIT!
///////////////////////////////////////////
:version: %VERSION%
:release_date: %RELEASE_DATE%
:changelog_url: %CHANGELOG_URL%
:include_path: ../../../../logstash/docs/include
///////////////////////////////////////////
END - GENERATED VARIABLES, DO NOT EDIT!
///////////////////////////////////////////

[id="plugins-{type}s-{plugin}"]

=== Fingerprint filter plugin

include::{include_path}/plugin_header.asciidoc[]

==== Description

Create consistent hashes (fingerprints) of one or more fields and store
the result in a new field.

You can use this plugin to create consistent document ids when events are
inserted into Elasticsearch. This approach means that existing documents can be
updated instead of creating new documents.

NOTE: When the `method` option is set to `UUID` the result won't be
a consistent hash but a random
https://en.wikipedia.org/wiki/Universally_unique_identifier[UUID].
To generate UUIDs, prefer the {logstash-ref}/plugins-filters-uuid.html[uuid filter].

[id="plugins-{type}s-{plugin}-ecs_metadata"]
==== Event Metadata and the Elastic Common Schema (ECS)
This plugin adds a hash value to event as an identifier. You can configure the `target` option to change the output field.

When ECS compatibility is disabled, the hash value is stored in the `fingerprint` field.
When ECS is enabled, the value is stored in the `[event][hash]` field.

Here’s how ECS compatibility mode affects output.
[cols="<l,<l,e,<e"]
|=======================================================================
| ECS disabled | ECS v1 | Availability | Description

| fingerprint | [event][hash] | Always | a hash value of event
|=======================================================================

[id="plugins-{type}s-{plugin}-options"]
==== Fingerprint Filter Configuration Options

This plugin supports the following configuration options plus the <<plugins-{type}s-{plugin}-common-options>> described later.

[cols="<,<,<",options="header",]
|=======================================================================
|Setting |Input type|Required
| <<plugins-{type}s-{plugin}-base64encode>> |<<boolean,boolean>>|No
| <<plugins-{type}s-{plugin}-concatenate_sources>> |<<boolean,boolean>>|No
| <<plugins-{type}s-{plugin}-concatenate_all_fields>> |<<boolean,boolean>>|No
| <<plugins-{type}s-{plugin}-ecs_compatibility>> | <<string,string>>|No
| <<plugins-{type}s-{plugin}-key>> |<<string,string>>|No
| <<plugins-{type}s-{plugin}-method>> |<<string,string>>, one of `["SHA1", "SHA256", "SHA384", "SHA512", "MD5", "MURMUR3", "IPV4_NETWORK", "UUID", "PUNCTUATION"]`|Yes
| <<plugins-{type}s-{plugin}-source>> |<<array,array>>|No
| <<plugins-{type}s-{plugin}-target>> |<<string,string>>|No
|=======================================================================

Also see <<plugins-{type}s-{plugin}-common-options>> for a list of options supported by all
filter plugins.

&nbsp;

[id="plugins-{type}s-{plugin}-base64encode"]
===== `base64encode` 

  * Value type is <<boolean,boolean>>
  * Default value is `false`

When set to `true`, the `SHA1`, `SHA256`, `SHA384`, `SHA512` and `MD5` fingerprint methods will produce
base64 encoded rather than hex encoded strings.

[id="plugins-{type}s-{plugin}-concatenate_sources"]
===== `concatenate_sources` 

  * Value type is <<boolean,boolean>>
  * Default value is `false`

When set to `true` and `method` isn't `UUID` or `PUNCTUATION`, the
plugin concatenates the names and values of all fields given in the
`source` option into one string (like the old checksum filter) before
doing the fingerprint computation. 

If `false` and multiple source fields are given, the target field will be single
fingerprint of the last source field.

**Example: `concatenate_sources`=false**

This example produces a single fingerprint that is computed from "birthday," the
last source field.

[source,ruby]
-----
fingerprint {
  source => ["user_id", "siblings", "birthday"]
}
-----

The output is:

[source,ruby]
-----
"fingerprint" => "6b6390a4416131f82b6ffb509f6e779e5dd9630f". 
-----

**Example: `concatenate_sources`=false with array**

If the last source field is an array, you get an array of fingerprints. 

In this example, "siblings" is an array ["big brother", "little sister", "little brother"].

[source,ruby]
-----
fingerprint {
  source => ["user_id", "siblings"]
}
-----

The output is:

[source,ruby]
-----
 "fingerprint" => [
        [0] "8a8a9323677f4095fcf0c8c30b091a0133b00641",
        [1] "2ce11b313402e0e9884e094409f8d9fcf01337c2",
        [2] "adc0b90f9391a82098c7b99e66a816e9619ad0a7"
    ],
-----

[id="plugins-{type}s-{plugin}-concatenate_all_fields"]
===== `concatenate_all_fields` 

  * Value type is <<boolean,boolean>>
  * Default value is `false`

When set to `true` and `method` isn't `UUID` or `PUNCTUATION`, the
plugin concatenates the names and values of all fields of the event 
into one string (like the old checksum filter) before doing the 
fingerprint computation. If `false` and at least one source field is 
given, the target field will be an array with fingerprints of the 
source fields given.

[id="plugins-{type}s-{plugin}-ecs_compatibility"]
===== `ecs_compatibility`

* Value type is <<string,string>>
* Supported values are:
** `disabled`: unstructured data added at root level
** `v1`: uses `[event][hash]` fields that are compatible with Elastic Common Schema

Controls this plugin's compatibility with the
{ecs-ref}[Elastic Common Schema (ECS)].
See <<plugins-{type}s-{plugin}-ecs_metadata>> for detailed information.

[id="plugins-{type}s-{plugin}-key"]
===== `key` 

  * Value type is <<string,string>>
  * There is no default value for this setting.

When used with the `IPV4_NETWORK` method fill in the subnet prefix length.
With other methods, optionally fill in the HMAC key.

[id="plugins-{type}s-{plugin}-method"]
===== `method` 

  * This is a required setting.
  * Value can be any of: `SHA1`, `SHA256`, `SHA384`, `SHA512`, `MD5`, `MURMUR3`, `IPV4_NETWORK`, `UUID`, `PUNCTUATION`
  * Default value is `"SHA1"`

The fingerprint method to use.

If set to `SHA1`, `SHA256`, `SHA384`, `SHA512`, or `MD5` and a key is set, the
corresponding cryptographic hash function and the keyed-hash (HMAC) digest function
are used to generate the fingerprint.

If set to `MURMUR3` the non-cryptographic 64 bit MurmurHash function will be used.

If set to `IPV4_NETWORK` the input data needs to be a IPv4 address and
the hash value will be the masked-out address using the number of bits
specified in the `key` option. For example, with "1.2.3.4" as the input
and `key` set to 16, the hash becomes "1.2.0.0".

If set to `PUNCTUATION`, all non-punctuation characters will be removed
from the input string.

If set to `UUID`, a
https://en.wikipedia.org/wiki/Universally_unique_identifier[UUID] will
be generated. The result will be random and thus not a consistent hash.

[id="plugins-{type}s-{plugin}-source"]
===== `source` 

  * Value type is <<array,array>>
  * Default value is `"message"`

The name(s) of the source field(s) whose contents will be used
to create the fingerprint. If an array is given, see the
`concatenate_sources` option.

[id="plugins-{type}s-{plugin}-target"]
===== `target` 

  * Value type is <<string,string>>
  * Default value is `"fingerprint"` when ECS is disabled
  * Default value is `"[event][hash]"` when ECS is enabled

The name of the field where the generated fingerprint will be stored.
Any current contents of that field will be overwritten.



[id="plugins-{type}s-{plugin}-common-options"]
include::{include_path}/{type}.asciidoc[]