Splunk® Cloud Services

SPL2 Search Reference

rename command overview

The SPL2 rename command renames one or more fields. This command is useful for giving fields more meaningful names, such as Product ID instead of pid. If you want to rename fields with similar names, you can use a wildcard character.

Syntax

The required syntax is in bold.

rename
<wc-source-field> AS <wc-target-field> ["," <wc-source-field> AS <wc-target-field>]...

How the SPL2 rename command works

Use the SPL2 rename command to rename a field in your search results.

Sometimes a field name in your data is an abbreviation and it's useful to rename the field so that others clearly understand what data the field shows.

Suppose you have a field called dpt, which could an abbreviation for all sorts of things like:

  • Dollar per Transaction
  • Days Prior To
  • Dew Point Temperature
  • Double Plays Turned

You can make the field name clearer to anyone viewing the search results by renaming the field:

... | rename dpt AS department

Field names with special characters

When you rename a field and specify a name that has a space, you need to enclose the name in single quotation marks. Here's an example:

... | rename productName AS 'Product Name'

You must use single quotation marks on field names that include special characters, spaces, dashes, and wildcards. See Quotation marks in the SPL2 Search Manual.

Commands and clauses with built-in renaming options

Some commands, such as stats, have a built-in rename option using the AS keyword. When you use a statistical function, the field that the stats command creates in the search results includes the function name. For example, your search calculates the average of the bytes field:

... | stats avg(bytes)

The field in the output is named avg(bytes) by default. You can rename the field using the AS keyword:

... | stats avg(bytes) AS 'average bytes'

Similarly, you can specify an expression in the SELECT clause in the from command that includes a rename. For example:

SELECT count(action) AS 'Action Count'...

See also

rename command
rename command syntax details
rename command usage
rename command examples
Last modified on 31 January, 2024
mvexpand command examples   rename command syntax details

This documentation applies to the following versions of Splunk® Cloud Services: current

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters