Skip to main content
Version: Next


Pseudonymizes fields according to a given method.


This operator will soon be removed in favor of first-class support for functions that can be used in a variety of different operators and contexts.


pseudonymize -m|--method=<string> -s|--seed=<seed> <extractor>...


The pseudonimize operator replaces IP address using the Crypto-PAn algorithm.

Currently, pseudonimize exclusively works for fields of type ip.


The algorithm for pseudonimization


A 64-byte seed that describes a hexadecimal value. When the seed is shorter than 64 bytes, the operator will append zeros to match the size; when it is longer, it will truncate the seed.


The list of extractors describing fields to pseudonomize. If an extractor matches types other than IP addresses, the operator will ignore them.


Pseudonymize all values of the fields src_ip and dest_ip using the crypto-pan algorithm and deadbeef seed:

pseudonymize --method="crypto-pan" --seed="deadbeef" src_ip, dest_ip