scanner
  • About Scanner
  • When to use it
  • Architecture
  • Getting Started
  • Playground Guide
    • Overview
    • Part 1: Search and Analysis
    • Part 2: Detection Rules
    • Wrapping Up
  • Log Data Sources
    • Overview
    • List
      • AWS
        • AWS Aurora
        • AWS CloudTrail
        • AWS CloudWatch
        • AWS ECS
        • AWS EKS
        • AWS GuardDuty
        • AWS Lambda
        • AWS Route53 Resolver
        • AWS VPC Flow
        • AWS VPC Transit Gateway Flow
        • AWS WAF
      • Cloudflare
        • Audit Logs
        • Firewall Events
        • HTTP Requests
        • Other Datasets
      • Crowdstrike
      • Custom via Fluentd
      • Fastly
      • GitHub
      • Jamf
      • Lacework
      • Osquery
      • OSSEC
      • Sophos
      • Sublime Security
      • Suricata
      • Syslog
      • Teleport
      • Windows Defender
      • Windows Sysmon
      • Zeek
  • Indexing Your Logs in S3
    • Linking AWS Accounts
      • Manual setup
        • AWS CloudShell
      • Infra-as-code
        • AWS CloudFormation
        • Terraform
        • Pulumi
    • Creating S3 Import Rules
      • Configuration - Basic
      • Configuration - Optional Transformations
      • Previewing Imports
      • Regular Expressions in Import Rules
  • Using Scanner
    • Query Syntax
    • Aggregation Functions
      • avg()
      • count()
      • countdistinct()
      • eval()
      • groupbycount()
      • max()
      • min()
      • percentile()
      • rename()
      • stats()
      • sum()
      • table()
      • var()
      • where()
    • Detection Rules
      • Event Sinks
      • Out-of-the-Box Detection Rules
      • MITRE Tags
    • API
      • Ad hoc queries
      • Detection Rules
      • Event Sinks
      • Validating YAML files
    • Built-in Indexes
      • _audit
    • Role-Based Access Control (RBAC)
    • Beta features
      • Scanner for Splunk
        • Getting Started
        • Using Scanner Search Commands
        • Dashboards
        • Creating Custom Content in Splunk Security Essentials
      • Scanner for Grafana
        • Getting Started
      • Jupyter Notebooks
        • Getting Started with Jupyter Notebooks
        • Scanner Notebooks on Github
      • Detection Rules as Code
        • Getting Started
        • Writing Detection Rules
        • CLI
        • Managing Synced Detection Rules
      • Detection Alert Formatting
        • Customizing PagerDuty Alerts
      • Scalar Functions and Operators
        • coalesce()
        • if()
        • arr.join()
        • math.abs()
        • math.round()
        • str.uriencode()
  • Single Sign On (SSO)
    • Overview
    • Okta
      • Okta Workforce
      • SAML
  • Self-Hosted Scanner
    • Overview
Powered by GitBook
On this page
  • Returns
  • Examples

Was this helpful?

  1. Using Scanner
  2. Aggregation Functions

rename()

rename(col as alias [, ...col as alias]) renames one or more columns in the input stream.

alias can be one word or include spaces. Aliases with spaces must be enclosed in quotation marks. If alias is the name of an existing column, rename will overwrite its values with the values of col.

Columns are renamed in order:

  • rename col1 as foo, col2 as foo will first rename col1 as foo, then rename col2 as foo . foo will contain the values of col2 ; the values of col1 will not exist in the output.

  • rename col1 as foo, foo as bar will rename col1 as foo, then rename foo as bar. bar will be contain the values of col1; foo will not exist.

rename has no effect if col and alias do not exist. If col does not exist and alias is the name of an existing column, alias will not exist.

A column cannot have multiple aliases, e.g. rename col1 as foo, col1 as bar is not valid.

Returns

The same table as the input with specified columns renamed to aliases. If a column was renamed, the original column name does not exist in the output.

Examples

# Rename a column
* | rename elapsed_ms as Latency

# Rename a column to a name with spaces
* | rename elapsed_ms as "Latency in milliseconds"

# Rename multiple columns
* | rename elapsed_ms as Latency, hostname as Host
Previouspercentile()Nextstats()

Last updated 1 month ago

Was this helpful?