rename field on a per analyzer basis

Zeek
1

How can I rename a field based on the analyzer? For example:

smtp.log:path → smtp.log->smtp_path
smb_files.log:path → smb_files.log:smb_path

Currently I am using default map, but this does it for all analyzers:

redef Log::default_field_name_map = { [“path”] = “smb_path”,

2

field_name_map is a Log::Filter option. You can apply those tables per filter so you can do something like this…

event bro_init()
    {
    local f = Log::get_filter(Conn::LOG, "default");
    f$field_name_map = table(["service"] = "blarg");
    Log::add_filter(Conn::LOG, f);
    }