Splunk® Cloud Services

SPL2 Search Reference

rename command examples

The following are examples for using the SPL2 rename command. To learn more about the rename command, see How the SPL2 rename command works.

The AS keyword is displayed in uppercase in the syntax and examples to make the syntax easier to read. You can specify the AS keyword in uppercase or lowercase in your searches.

1. Rename one field

Rename the usr field to username.

...| rename usr AS username

2. Rename a field with special characters

Rename the ip-add field to IPAddress. Field names that contain anything other than a-z, A-Z, 0-9, or "_", need single-quotation marks.

... | rename 'ip-add' AS IPAddress

3. Specify multiple fields to rename

Use a comma-separated list of renames that you want to perform. This example renames usr to username and dpt to department. Renames are processed in the order that you specify, left to right.

...| rename usr AS username, dpt AS department

4. Rename multiple similarly named fields using wildcards

This example renames any field that starts with u to start with user. Because wildcard characters are used, the field names must be enclosed in single quotation marks.

...| rename 'u*' AS 'user*'

5. Rename a field with a phrase

This example renames a field with a string phrase. Because the phrase includes spaces, the field name must be enclosed in single quotation marks.

... | rename count AS 'Count of Events'

6. Rename a field to remove the JSON path information

Suppose you have fields with the following names:

games.cooperative.Forbidden Island games.cooperative.Pandemic games.cooperative.Sherlock Holmes: Consulting Detective
In stock in stock out of stock

You can use the rename command with a wildcard to remove the path information from the field names. The following search identifies the path information that you want to remove and returns only the information that remains. In this example, the remaining information are the names of the games:

...| rename 'games.cooperative.*' AS '*'

The results look like this:

Forbidden Island Pandemic Sherlock Holmes: Consulting Detective
In stock in stock out of stock

See also

rename command
rename command overview
rename command syntax details
rename command usage
Last modified on 31 January, 2024
rename command usage   reverse command overview

This documentation applies to the following versions of Splunk® Cloud Services: current

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters