This function renames one or more fields.
Parameter | Type | Required | Default Value | Description |
---|---|---|---|---|
as | string | optional[a] | The new name of the field; it is used when a single field name is given in field . | |
field [b] | string or array, array of arrays of strings | required | The field to rename, if a new field name is given in as . From v1.106.0, multiple fields can be given using an array of old/new field name pairs: [[oldName1,newName1], [oldName2,newName2]] . | |
[a] Optional parameters use their default value unless explicitly set. |
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
field
can be omitted; the following forms of this function are equivalent:logscale Syntaxrename("value")
and:
logscale Syntaxrename(field="value")
These examples show basic structure only.
Old fields are are removed from the event stream which can add overhead during processing. Copying to a new field using:
newfield := oldfield
Is more efficient, but retains the old field in the event set.
rename()
Examples
To rename just one field use the as
parameter;
for example, rename field
BadName to
GoodName:
rename(field=BadName, as=GoodName)
Or you can rename BadName to GoodName using assignment syntax:
GoodName := rename(BadName)
To rename multiple fields use the array form:
rename(field=[[fromBadName1, toGoodName1], [fromBadName2, toGoodName2]])
Or, since field
is the unnamed parameter:
rename([[fromBadName1, toGoodName1], [fromBadName2, toBadName2]])
If field
is given as a list of pairs, the
function can be given any number of fields to rename.