The docs on pipelines are here. Create a pipeline, then create a rule in the pipeline that does what you want, then attach the pipeline to the stream. All messages in that stream will be processed through the rule in your pipeline before getting stored in the index at the end of the pipeline.
Your rule might look something like this:
rule "change field names"
when
has_field("device_product") &&
has_field("device_vendor")
then
rename_field("device_product","my_product_name");
rename_field("device_vendor","my_vendor_name");
end
On a side note, pipelines have stages, and generally speaking all rules within a singe stage run at the same time… meaning if in the future you have a rule that takes the results of another rule, you need to sequence them in separate stages.
I wrote up a long post about my PA setup here … its a little older but gets the idea across. There is more to the post thread if you read all around it…
Hopefully that get you a little momentum!