rename command: Overview, syntax, and usage
The SPL2 rename command renames one or more fields. This command is useful for giving fields more meaningful names, such as Product ID instead of pid. If you want to rename fields with similar names, you can use a wildcard character.
Use these links to quickly navigate to the main sections in this topic:
How the SPL2 rename command works
Use the SPL2 rename command to rename a field in your search results.
Sometimes a field name in your data is an abbreviation and it's useful to rename the field so that others clearly understand what data the field shows.
Suppose you have a field called dpt, which could an abbreviation for all sorts of things like:
- Dollar per Transaction
- Days Prior To
- Dew Point Temperature
- Double Plays Turned
You can make the field name clearer to anyone viewing the search results by renaming the field:
... | rename dpt as department
Field names with special characters
When you rename a field and specify a name that has a space, you need to enclose the name in single quotation marks. Here's an example:
... | rename productName as 'Product Name'
You must use single quotation marks on field names that include special characters, spaces, dashes, and wildcards. See Quotation marks in the SPL2 Search Manual.
Commands and clauses with built-in renaming options
Some commands, such as stats, have a built-in rename option using the as keyword. When you use a statistical function, the field that the stats command creates in the search results includes the function name. For example, your search calculates the average of the bytes field:
... | stats avg(bytes)
The field in the output is named avg(bytes) by default. You can rename the field using the as keyword:
... | stats avg(bytes) as 'average bytes'
Similarly, you can specify an expression in the SELECT clause in the from command that includes a rename. For example:
SELECT count(action) as 'Action Count'...
Syntax
The required syntax is in bold.
- rename
- <source-field>as <target-field> ["," <source-field> as <target-field>]...
Required arguments
- source-field
- Syntax: <string>
- Description: The name of a field in your search results to rename. You can use a wild card character in the field name. Names with anything other than a-z, A-Z, 0-9, or the underscore ( _ ) character must be enclosed in single-quotation marks. This includes the wildcard character ( * ).
- target-field
- Syntax: as <string>
- Description: The name you want to use as the replacement name for the field. You can use a wild card character in the field name. Names with anything other than a-z, A-Z, 0-9, or the underscore ( _ ) character must be enclosed in single-quotation marks. This includes the wildcard character ( * ).
- The replacement name you specify for the field can't be a reserved word. For a list of the reserved words, see Reserved words.
Usage
Differences between SPL and SPL2
The differences between the SPL and SPL2 rename command are described in these sections.
Renames must be comma-delimited
Each pair of rename fields must be separated by a comma. Otherwise a parsing error is returned.
| Version | Example |
|---|---|
| SPL | rename pid AS ProductID cid AS CustomerID |
| SPL2 | rename pid AS ProductID, cid AS CustomerID |
Certain renames are invalid
Renames of the same field is not allowed.
| Version | Example |
|---|---|
| SPL | ...rename A as B, A as C |
| SPL2 | Not supported |
Merging multiple fields is invalid
Attempting to merge multiple fields with a rename is not allowed.
| Version | Example |
|---|---|
| SPL | ... rename A as B, C as B |
| SPL2 | Not supported |
Chained or circular renaming is invalid
Using transitive renames that result in chained renaming or circular naming is not allowed.
| Version | Example 1 | Example 2 |
|---|---|---|
| SPL | ... rename A as B, B as C | ... rename A as B, C as A |
| SPL2 | Not supported | Not supported |
See also
- rename command
- rename command: Examples
| mvexpand command: Examples | rename command: Examples |
This documentation applies to the following versions of Splunk® Cloud Services: current
Download manual
Feedback submitted, thanks!