This function takes the name of an array and renames all fields of this array.
array:rename() requires that the input array has
continuous, sequential indexes with no gaps (empty indexes). If there are
gaps, only the fields from index 0 up to the first empty index will be
renamed. If no array with the given name exists or the old and the new
name are the same, the function does nothing.
Without this function, each element of an array would need to be renamed
individually with the rename() function, or
array:filter() should be used as a workaround as
shown below:
array:filter(array="a[]", function={true}, var="", asArray="b[]")
| array:filter(array="a[]", function={false}, var="")With the function, specify the name of the array to rename:
array:rename("a[]", asArray="b[]")| Parameter | Type | Required | Default Value | Description |
|---|---|---|---|---|
array[a] | string | required | Name of the array to rename. Must follow valid Array Syntax for array of scalars. For example, for events with fields incidents[0], incidents[1], ... this would be incidents[]. | |
asArray | string | required | The new name of the array. Must follow valid Array Syntax for array of scalars. | |
[a] The argument name | ||||
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
arraycan be omitted; the following forms of this function are equivalent:logscalearray:rename("value[][]",asArray="value")and:
logscalearray:rename(array="value[][]",asArray="value")These examples show basic structure only.
array:rename() Examples
Rename Existing Fields in Array
Query
array:rename(array="mail[]", asArray="user.email[]")Introduction
If an array has continuous, sequential indexes with no empty
indexes, the array:rename() function can be
used to rename existing fields in an array. In this example, the
array:rename() function is used to rename the
array mail[] as
user.email[].
Example incoming data might look like this:
'mail[0]'='user0@example.com'
'mail[1]'='user1@example.com'
'mail[2]'='user2@example.com'
Step-by-Step
Starting with the source repository events
- logscale
array:rename(array="mail[]", asArray="user.email[]")Renames the array mail[] as user.email[]. If there are empty entries in the array, only the fields from index 0 up to the first empty index will be renamed. If an array with the new name already exists, it will be overwritten.
Event Result set
Summary and Results
The query is used to rename fields in an array. Renaming the mail[] array is useful when, for example, modifying vendor logs email addresses into ECS data model is needed.
Sample output from the incoming example data:
user.email[0]->user0@example.com
user.email[1]->user1@example.com
user.email[2]->user2@example.com