This function renames one or more fields.

asstringoptional[a]  The new name of the field; it is used when a single field name is given in field.
field[b]string or arrayrequired  The field to rename, if a new field name is given in as. From v1.106.0, multiple fields can be given using an array of old/new field name pairs: [oldName,newName].

[a] Optional parameters use their default value unless explicitly set

[b] The argument name field can be omitted.

Omitted Argument Names

The argument name for field can be omitted; the following forms of this function are equivalent:




These examples show basic structure only; full examples are provided below.

Old fields are are removed from the event stream which can add overhead during processing. Copying to a new field using:

newfield := oldfield

Is more efficient, but retains the old field in the event set.

rename() Examples

To rename just one field use the as parameter; for example, rename field BadName to GoodName:

rename(field=BadName, as=GoodName)

Or you can rename BadName to GoodName using assignment syntax:

GoodName := rename(BadName)

To rename multiple fields use the array form:

rename(field=[[fromBadName1, toGoodName1], [fromBadName2, toGoodName2]])

Or, since field is the unnamed parameter:

rename([[fromBadName1, toGoodName1], [fromBadName2, toBadName2]])

If field is given as a list of pairs, the function can be given any number of fields to rename.