rename

The rename command is used to rename fields in events; it can be particularly useful for handling json data where the field names are not valid identiﬁer for search queries.

Syntax

The rename command takes a list of source and destination field names, separated by the to keyword:

| rename <source> to <destination> [<source> to <destination> ...]

<source> can be either an identifier or a quoted string to allow for otherwise invalid names. <destination> must be an identifier and cannot be quoted.

Examples

Rename the invalid field name foo:bar to foobar:

| rename "foo:bar" to foobar

Crystalline

rename

Syntax

Examples