rename

Rename one or more fields in your search results.

Description

The rename command changes field names without modifying their values. This is useful for standardizing field names, making them more readable, or preparing data for downstream processing.

Unlike table with aliases (which only affects display), rename permanently changes field names in the pipeline, so subsequent commands must use the new names.

Syntax

... | rename <old_field> as <new_field> [, <old_field> as <new_field> ...]

Required Arguments

old_field
The current name of the field to rename.

new_field
The new name for the field.

Examples

Rename single field

* | rename src_ip as source_ip

Changes src_ip to source_ip.

Rename multiple fields

* | rename src_ip as source_ip,
           dest_ip as destination_ip,
           src_port as source_port

Renames multiple fields in one command.

Make names more readable

* | stats count() as cnt, 
         dc(user) as unique_users
  by src_ip
  | rename src_ip as "Source IP",
           cnt as "Event Count",
           unique_users as "Unique Users"

Creates human-readable field names for reporting.

Standardize field names

* | rename clientIP as src_ip,
           serverIP as dest_ip

Normalizes inconsistent field names.

After aggregation

* | stats sum(bytes) as total_bytes by user
  | rename user as username,
           total_bytes as "Total Bytes Transferred"

Renames both original and aggregated fields.

Prepare for lookup

* | rename ip_address as src_ip
  | lookup ip_enrichment src_ip

Renames field to match lookup table key.

Simplify complex names

* | rename http_request_headers_user_agent as user_agent,
           http_response_status_code as status

Shortens verbose field names.

After eval

* | eval total = bytes_in + bytes_out
  | rename total as total_bytes

Renames calculated field.

For visualization

* | timechart span=1h count() by action
  | rename _time as "Time",
           count as "Events"

Prepares data for dashboard display.

Swap field names

* | rename src_ip as temp,
           dest_ip as src_ip,
           temp as dest_ip

Note: This doesn't work as expected. Use eval instead for swapping.

Chain with other commands

* | stats count() by src_ip
  | rename src_ip as ip, count as events
  | where events > 100
  | sort -events

Renamed fields are available to subsequent commands.

Rename before dedup

* | rename user_name as user
  | dedup user

Standardizes field name before deduplication.

Multiple aggregations

* | stats count() as event_count,
         sum(bytes) as byte_sum,
         avg(response_time) as avg_resp
  by endpoint
  | rename endpoint as "API Endpoint",
           event_count as "Requests",
           byte_sum as "Total Bytes",
           avg_resp as "Avg Response (ms)"

Creates fully formatted output.

Usage Notes

Permanent change: Unlike table aliases, rename changes field names for all subsequent commands in the pipeline.

Original name unavailable: After renaming, the original field name no longer exists. Subsequent commands must use the new name.

Multiple renames: You can rename multiple fields in a single rename command, separated by commas.

Spaces in names: Field names with spaces must be quoted: as "Source IP". However, this can complicate subsequent commands.

Case sensitivity: Field names are case-sensitive. src_ip and Src_IP are different fields.

Non-existent fields: Renaming a field that doesn't exist has no effect and doesn't cause an error.

Overwriting: If you rename a field to a name that already exists, the original field with that name is overwritten.

Performance: rename is a lightweight operation with minimal performance impact.

Best practices: Use rename for standardization early in the pipeline. Use table with aliases for display-only changes at the end.

Related Commands

• table - Display fields with aliases (doesn't change field names)
• eval - Create new fields with calculated values
• fields - Include or exclude fields
• stats - Use as to name aggregated fields