This function takes the name of an array and renames all fields of this array.
| Parameter | Type | Required | Default Value | Description |
|---|---|---|---|---|
array[a] | string | required | Name of the array to rename. Must follow valid Array Syntax for array of scalars. For example, for events with fields incidents[0], incidents[1], ... this would be incidents[]. | |
asArray | string | required | The new name of the array. Must follow valid Array Syntax for array of scalars. | |
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
arraycan be omitted; the following forms of this function are equivalent:logscale Syntaxarray:rename(""value"[]",asArray="value")and:
logscale Syntaxarray:rename(array=""value"[]",asArray="value")These examples show basic structure only.
array:rename() requires that the input
array has continuous, sequential indexes with no gaps (empty
indexes) and that the array starts at index [0], for example,
incidents[0], incidents[1], incidents[2]. If there are gaps, for
example, incidents[0], incidents[1], incidents[2], incidents[10]
only the fields from index 0 up to the first empty index will be
renamed.
If no array with the given name exists or the old and the new name are the same, the function does nothing.
Without this function, each element of an array would need to be
renamed individually with the rename()
function, or array:filter() should be used
as a workaround as shown below:
array:filter(array="a[]", function={true}, var="", asArray="b[]")
| array:filter(array="a[]", function={false}, var="")With the function, specify the name of the array to rename:
array:rename("a[]", asArray="b[]")array:rename() Examples
Click next to an example below to get the full details.
Rename Existing Fields in Array
Rename existing fields in an array using the
array:rename() function
Query
array:rename(array="mail[]", asArray="user.email[]")Introduction
In this example, the array:rename() function is
used to rename the array mail[]
as user.email[].
Example incoming data might look like this:
'mail[0]'='user0@example.com'
'mail[1]'='user1@example.com'
'mail[2]'='user2@example.com'Step-by-Step
Starting with the source repository events.
- logscale
array:rename(array="mail[]", asArray="user.email[]")Renames the array mail[] as user.email[]. If there are empty entries in the array, only the fields from index 0 up to the first empty index will be renamed. If an array with the new name already exists, it will be overwritten.
Event Result set.
Summary and Results
The query is used to rename fields in an array. Renaming the mail[] array is useful when, for example, modifying vendor logs email addresses into ECS data model is needed.
Sample output from the incoming example data:
user.email[0]->user0@example.com
user.email[1]->user1@example.com
user.email[2]->user2@example.com