Available: array:rename() v1.160.0
The array:rename() function is available from
version 1.160.0.
This function takes the name of an array and renames all fields of this array.
array:rename() requires that the input array has
continuous, sequential indexes with no gaps (empty indexes) and that the
array starts at index [0], for example, incidents[0], incidents[1],
incidents[2]. If there are gaps, for example, incidents[0], incidents[1],
incidents[2], incidents[10] only the fields from index 0 up to the first
empty index will be renamed.
If no array with the given name exists or the old and the new name are the same, the function does nothing.
Without this function, each element of an array would need to be renamed
individually with the rename() function, or
array:filter() should be used as a workaround as
shown below:
array:filter(array="a[]", function={true}, var="", asArray="b[]")
| array:filter(array="a[]", function={false}, var="")With the function, specify the name of the array to rename:
array:rename("a[]", asArray="b[]")| Parameter | Type | Required | Default Value | Description |
|---|---|---|---|---|
array[a] | string | required | Name of the array to rename. Must follow valid Array Syntax for array of scalars. For example, for events with fields incidents[0], incidents[1], ... this would be incidents[]. | |
asArray | string | required | The new name of the array. Must follow valid Array Syntax for array of scalars. | |
[a] The argument name | ||||
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
arraycan be omitted; the following forms of this function are equivalent:logscalearray:rename("value[][]",asArray="value")and:
logscalearray:rename(array="value[][]",asArray="value")These examples show basic structure only.
array:rename() Examples
Rename Existing Fields in Array
Rename existing fields in an array using the array:rename() function
Query
array:rename(array="mail[]", asArray="user.email[]")Introduction
The array:rename() function is used to rename
existing fields in an array provided that the array has
continuous, sequential indexes with no empty indexes and that it
starts at [0]. In this example, the
array:rename() function is used to rename the
array mail[] as
user.email[].
Example incoming data might look like this:
'mail[0]'='user0@example.com'
'mail[1]'='user1@example.com'
'mail[2]'='user2@example.com'
Step-by-Step
Starting with the source repository events.
- logscale
array:rename(array="mail[]", asArray="user.email[]")Renames the array mail[] as user.email[]. If there are empty entries in the array, only the fields from index 0 up to the first empty index will be renamed. If an array with the new name already exists, it will be overwritten.
Event Result set.
Summary and Results
The query is used to rename fields in an array. Renaming the mail[] array is useful when, for example, modifying vendor logs email addresses into ECS data model is needed.
Sample output from the incoming example data:
user.email[0]->user0@example.com
user.email[1]->user1@example.com
user.email[2]->user2@example.com