The project-rename operator in APL lets you rename columns in a dataset while keeping all existing rows intact. You can use it when you want to make column names clearer, align them with naming conventions, or prepare data for downstream processing. Unlike project, which also controls which columns appear in the result, project-rename only changes the names of selected columns and keeps the full set of columns in the dataset.
You find this operator useful when:
- You want to standardize field names across multiple queries.
- You want to replace long or inconsistent column names with simpler ones.
- You want to improve query readability without altering the underlying data.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, renaming fields uses the rename command. The project-rename operator in APL works in a similar way. Both let you map existing fields to new names without altering the dataset content.
['sample-http-logs']
| project-rename url = uri, http_status = statusIn ANSI SQL, renaming columns is done with AS in a SELECT statement. In APL, project-rename is the closest equivalent, but unlike SQL, it preserves all columns by default while renaming only the specified ones.
['sample-http-logs']
| project-rename url = uri, http_status = statusUsage
Syntax
Table
| project-rename NewName1 = OldName1, NewName2 = OldName2, ...Parameters
| Name | Type | Description |
|---|---|---|
NewName |
string | The new column name you want to assign. |
OldName |
string | The existing column name to rename. |
Returns
A dataset with the same rows and columns as the input, except that the specified columns have new names.
Use case examples
When analyzing HTTP logs, you might want to rename fields to shorter or more descriptive names before creating dashboards or reports.
Query
['sample-http-logs']
| project-rename city = ['geo.city'], country = ['geo.country']Output
| _time | req_duration_ms | id | status | uri | method | city | country |
|---|---|---|---|---|---|---|---|
| 2025-09-01T10:00:00Z | 120 | user1 | 200 | /home | GET | Paris | FR |
| 2025-09-01T10:01:00Z | 85 | user2 | 404 | /about | GET | Berlin | DE |
This query renames the geo.city and geo.country fields to city and country for easier use in queries.
When inspecting distributed traces, you can rename service-related fields to match your internal naming conventions.
Query
['otel-demo-traces']
| project-rename service = ['service.name']Output
| _time | duration | span_id | trace_id | service | kind |
|---|---|---|---|---|---|
| 2025-09-01T09:55:00Z | 00:00:01.200 | abc123 | trace789 | frontend | server |
| 2025-09-01T09:56:00Z | 00:00:00.450 | def456 | trace790 | checkout | client |
This query renames service.name to service, making it shorter for downstream filtering.
For security-related HTTP log analysis, you can rename status and URI fields to match existing security dashboards.
Query
['sample-http-logs']
| project-rename http_status = status, url = uriOutput
| _time | req_duration_ms | id | http_status | url | method | geo.city | geo.country |
|---|---|---|---|---|---|---|---|
| 2025-09-01T11:00:00Z | 150 | user5 | 403 | /admin | POST | Madrid | ES |
| 2025-09-01T11:02:00Z | 200 | user6 | 500 | /login | POST | Rome | IT |
This query renames status to http_status and uri to url, making the output align with security alerting systems.
List of related operators
- extend: Creates new calculated columns. Use it when you want to add columns rather than rename existing ones.
- project: Lets you select and rename columns at the same time. Use it when you want to control which columns appear in the result.
- project-away: Removes specific columns from the dataset. Use it when you want to drop columns rather than rename them.
- summarize: Aggregates data into groups. Use it when you want to compute metrics rather than adjust column names.