Automatic field names

When you don't specify output field names in your queries, Hamelin generates sensible names automatically. This reduces typing and makes exploratory queries faster to write. You can always override the automatic names by providing your own.

How automatic naming works

Hamelin uses the expression itself as the output field name when you don't provide one. This creates predictable, readable field names that reflect what the field contains. As an example, for simple field references, Hamelin uses the field name as the output field name:

FROM events | SELECT timestamp, user_name
// Result fields: "timestamp", "user_name"

For any expression more complex than a simple field reference, Hamelin uses the full expression text as the field name:

FROM events | SELECT user_name, timestamp + 1hr, count()
// Result fields: "user_name", "timestamp + 1hr", "count()"

FROM logs | AGG count(error_code), avg(response_time) BY service
// Result fields: "count(error_code)", "avg(response_time)"

Referencing automatic field names

Use backticks to reference automatically generated field names from complex expressions:

FROM events
| AGG count(), avg(response_time) BY service_name
| WHERE `count()` > 100
| SORT `avg(response_time)` DESC

The backticks tell Hamelin you're referring to a field name that contains special characters or spaces.

Commands that use automatic naming

SELECT command

SELECT generates field names from the expressions you provide:

FROM users | SELECT first_name + " " + last_name, age * 12
// Result fields: "first_name + " " + last_name", "age * 12"

AGG command

AGG creates field names from both aggregation functions and grouping fields:

FROM requests | AGG count(), max(response_time) BY endpoint
// Result fields: "endpoint", "count()", "max(response_time)"

FROM events | AGG count() BY user_name, timestamp@hr
// Result fields: "user_name", "timestamp@hr", "count()"

You can override the automatic names for both aggregation functions and grouping fields:

FROM requests | AGG
    request_count = count(),
    max_response = max(response_time)
  BY service_endpoint = endpoint
// Result fields: "service_endpoint", "request_count", "max_response"

WINDOW command

WINDOW functions generate names from the function calls:

FROM metrics
| WINDOW count(), avg(cpu_usage)
  BY host
  SORT timestamp
  WITHIN -5min
// Result fields: "count()", "avg(cpu_usage)"

Overriding automatic names

Provide explicit names when you want cleaner field names or need to reference them easily:

// Automatic names (harder to reference)
FROM events | AGG count(), avg(response_time) BY service

// Explicit names (easier to reference)
FROM events | AGG
    total_events = count(),
    avg_response = avg(response_time)
  BY service

Explicit names make your queries more readable and easier to chain with additional operations.

When automatic names are most useful

Automatic naming speeds up data exploration when you're trying to understand your data. As an example, you can see results quickly without thinking about field names:

FROM logs | AGG count(), count_distinct(user_name), max(timestamp) BY service

For straightforward field selections, automatic names keep queries concise:

FROM events | SELECT user_name, timestamp, action_type

You can also start with automatic names, then add explicit names as your query becomes more complex:

// Start simple
FROM events | AGG count() BY event_type

// Add explicit names as needed
FROM events | AGG event_count = count() BY event_type

Automatic field names reduce friction in query writing while maintaining clarity about what each field contains.

How automatic naming works​

Referencing automatic field names​

Commands that use automatic naming​

SELECT command​

AGG command​

WINDOW command​

Overriding automatic names​

When automatic names are most useful​