This function renames one or more fields.
Hide omitted argument names for this function
Show omitted argument names for this function
Omitted Argument NamesThe argument name for field can be omitted; the following forms of this function are equivalent:
and:
These examples show basic structure only.
Note
When a field is renamed to a field that already exists, the
existing field and its content is overwritten by the new
field. The same happens when the field is renamed through
field
aliasing.
Old fields are removed from the event stream which can add
overhead during processing. Copying to a new field using:
is more efficient, but retains the old field in the event set.
To rename just one field use the as
parameter; for example, rename field
BadName to
GoodName:
rename(field=BadName, as=GoodName)
Or you can rename
BadName to
GoodName using
assignment syntax:
GoodName := rename(BadName)
Click + next to an example below to get the full details.
Rename fields to more readable names using the rename() function
rename(field=[[src_ip, source_address], [dst_ip, destination_address], [src_port, source_port], [dst_port, destination_port]])
In this example, the rename() function is used to
rename multiple fields to more readable names.
Example incoming data might look like this:
Starting with the source repository events.
rename(field=[[src_ip, source_address], [dst_ip, destination_address], [src_port, source_port], [dst_port, destination_port]])
Renames the fields src_ip,
dst_ip, src_port, and
dst_port to more readable field names. The
original field names are replaced with the new field names.
Since field is the unnamed
parameter, the query could also look like this: rename([[src_ip,
source_address], [dst_ip, destination_address], [src_port,
source_port], [dst_port, destination_port]]).
Event Result set.
The query is used to rename multiple fields in one single operation.
Renaming of fields is used for standardisation, normalization, and
readability. Normalizing field names across different data sources is,
for example, useful for joins. The rename()
function is often used with the table() function.
For renaming existing fields in arrays, see
Rename Existing Fields in Array.
Sample output from the incoming example data:
