These docs are for Cribl Stream 4.8 and are no longer actively maintained.
See the latest version (4.11).
Rename
The Rename Function is designed to change fields’ names or reformat their names (e.g., by normalizing names to camelcase). You can use Rename to change specified fields (much like the Eval Function), or for bulk renaming based on a JavaScript expression (much like the Parser Function).
Compared to these alternatives, Rename offers a streamlined way to alter only field names, without other effects.
Usage
Filter: Filter expression (JS) that selects data to feed through the Function. Defaults to true, meaning it evaluates all events.
Description: Optionally, enter a simple description of this step in the Pipeline. Defaults to empty.
Final: If toggled to Yes, stops feeding data to the downstream Functions. Defaults to No.
Parent fields: Specify fields whose children will inherit the Rename fields and Rename expression operations. Supports wildcards. If empty, only top-level fields will be renamed.
This Function cannot operate on internal fields whose names begin with double underscores (
__).Note that you can still use
__eto access fields within the(context)object, as long as those fields do not begin with double underscores. That’s because__eis a special variable, not a field.
Rename fields: Each row here is a key-value pair that defines how to rename fields. The current name is the key, and the new name is the value. Click Add Field to add more rows.
Current name: Original name of the field to rename. You must quote literal identifiers (non-alphanumeric characters such as spaces or hyphens).
New name: New or reformatted name for the field. Here again, you must quote literals.
Rename expression: Optional JavaScript expression whose returned value will be used to rename fields. Use the name and value global variables to access fields’ names/values. Example: name.startsWith('data') ? name.toUpperCase() : name. You can access other fields’ values via event.<fieldName>.
A single Function can include both Rename fields (to rename specified field names) and Rename expression (to globally rename fields). However, the Rename fields strategy will execute first.
Advanced Settings
Parent field wildcard depth: For wildcards specified in Parent fields, sets the maximum depth within events to match and rename fields. Enter 0 to match only top-level fields. Defaults to 5 levels down.
Example
Change the level field, and all fields that start with out, to all-uppercase.
Example event:
{"inEvents": 622,
"level": "info",
"outEvents": 311,
"outBytes": 144030,
"activeCxn": 0,
"openCxn": 0,
"closeCxn": 0,
"activeEP": 105,
"blockedEP": 0
} Rename Fields:
Current name: level
New name: LEVEL
Rename expression: name.startsWith('out') ? name.toUpperCase() : name
Event after Rename:
{"inEvents": 622,
"LEVEL": "info",
"OUTEVENTS": 311,
"OUTBYTES": 144030,
"activeCxn": 0,
"openCxn": 0,
"closeCxn": 0,
"activeEP": 105,
"blockedEP": 0
}Applications
- Remove filename prefix
<myPrefix>:
Rename expression: name.replace(/<myPrefix>/, '')
- Add a wildcard to rename a set of fields named
json.record[0],json.record[1], etc., preserving the variable numbers in the brackets:
Rename expression: name.replace(/(json)\.(\w+)/,'MYNEWNAME-$2-$1')