Rename fields from events
The rename processor specifies a list of fields to rename. This processor cannot be used to overwrite fields. To overwrite fields, either first rename the target field, or use the drop_fields processor to drop the field, and then rename the field.
You can rename fields to resolve field name conflicts. For example, if an event has two fields, c and c.b (where b is a subfield of c), assigning scalar values results in an Elasticsearch error at ingest time. The assignment {"c": 1,"c.b": 2} would result in an error because c is an object and cannot be assigned a scalar value. To prevent this conflict, rename c to c.value before assigning values.
- rename:
fields:
- from: "a.g"
to: "e.d"
ignore_missing: false
fail_on_error: true
Elastic Agent processors execute before ingest pipelines, which means that your processor configurations cannot refer to fields that are created by ingest pipelines or Logstash. For more limitations, refer to What are some limitations of using processors?
| Name | Required | Default | Description |
|---|---|---|---|
fields |
Yes | Contains: * from: "old-key", where from is the original field name. You can use the @metadata. prefix in this field to rename keys in the event metadata instead of event fields.* to: "new-key", where to is the target field name. |
|
ignore_missing |
No | false |
Whether to ignore missing keys. If true, no error is logged when a key that should be renamed is missing. |
fail_on_error |
No | true |
Whether to fail renaming if an error occurs. If true and an error occurs, the renaming of fields is stopped, and the original event is returned. If false, renaming continues even if an error occurs during renaming. |
See Conditions for a list of supported conditions.
You can specify multiple rename processors under the processors section.