This function renames one or more fields.
| Parameter | Type | Required | Default Value | Description |
|---|---|---|---|---|
as | string | optional[a] | The new name of the field; it is used when a single field name is given in field. | |
field[b] | string or array, array of arrays of strings | required | The field to rename, if a new field name is given in as. From v1.106.0, multiple fields can be given using an array of old/new field name pairs: [[oldName1,newName1], [oldName2,newName2]]. | |
[a] Optional parameters use their default value unless explicitly set. | ||||
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
fieldcan be omitted; the following forms of this function are equivalent:logscale Syntaxrename("value")and:
logscale Syntaxrename(field="value")These examples show basic structure only.
Note
When a field is renamed to a field that already exists, the existing field and its content is overwritten by the new field. The same happens when the field is renamed through field aliasing.
Old fields are removed from the event stream which can add overhead during processing. Copying to a new field using:
newfield := oldfieldis more efficient, but retains the old field in the event set.
rename() Examples
To rename just one field use the as parameter;
for example, rename field
BadName to
GoodName:
rename(field=BadName, as=GoodName)Or you can rename BadName to GoodName using assignment syntax:
GoodName := rename(BadName)To rename multiple fields use the array form:
rename(field=[[fromBadName1, toGoodName1], [fromBadName2, toGoodName2]])
Or, since field is the unnamed parameter:
rename([[fromBadName1, toGoodName1], [fromBadName2, toBadName2]])
If field is given as a list of pairs, the
function can be given any number of fields to rename.