I know an old question, but actually your idea works, the first part in the subsearch till "fields - ..." simply builds a table I use for field renaming, so that users only need to edit a lookup for renaming fields: | makeresults | eval field1="some value", field2="another value" | rename [| makeresults | eval mapping="field1:field_one field2:field_two" | makemv delim=" " mapping | mvexpand mapping | rex field=mapping "(?<orig>[^:]+):(?<new>.*)" | fields - _time, mapping | eval rename_phrase=orig + " as " + "\"" + new + "\"" | stats values(rename_phrase) as rename_phrases | eval search=mvjoin(rename_phrases, ", ") | fields search] But it can only build arguments, as seen that rename must be in the base search. Maybe of use for somebody out there. ... View more

Thanks, I did give you +1 for this, since it work as well. Only pitfall that I needed to add 0 to the transpose or I lost rows. (default 5 rows) transpose 0 header_field=client column_name=value ... View more