Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

rename

The rename command is used to rename fields in events; it can be particularly useful for handling json data where the field names are not valid identifier for search queries.

Syntax

The rename command takes a list of source and destination field names, separated by the to keyword:

| rename <source> to <destination> [<source> to <destination> ...]

<source> can be either an identifier or a quoted string to allow for otherwise invalid names. <destination> must be an identifier and cannot be quoted.

Wildcards

The rename command supports wildcard patterns using * to rename multiple fields matching a pattern. The wildcard can appear at the beginning or end of both the source and destination:

  • field* to renamed* - matches fields starting with field, preserves suffix
  • *1 to *renamed - matches fields ending with 1, preserves prefix
  • field* to *renamed - matches fields starting with field, moves suffix to front
  • *1 to renamed* - matches fields ending with 1, moves prefix to back

Example:

| rename field* to renamed*

This renames field1 to renamed1, field2 to renamed2, etc.

Examples

Rename the invalid field name foo:bar to foobar:

| rename "foo:bar" to foobar