Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

rename

The rename command is used to rename fields in events; it can be particularly useful for handling json data where the field names are not valid identifier for search queries.

Syntax

The rename command takes a list of source and destination field names, separated by the to keyword:

| rename <source> to <destination> [<source> to <destination> ...]

<source> can be either an identifier or a quoted string to allow for otherwise invalid names. <destination> must be an identifier and cannot be quoted.

Examples

Rename the invalid field name foo:bar to foobar:

| rename "foo:bar" to foobar