Makes an extra copy of the event, thus the next step in the pipeline will see both events. This is mostly useful in the parser pipeline.

For On-Prem deployments only: If you are using this function to copy an event to another repository, the ALLOW_CHANGE_REPO_ON_EVENTS environment variable must be set to true.

ParameterTypeRequiredDefaultDescription
type[a]stringrequired  The value for #type for the copy.

[a] The argument name type can be omitted.

Hide omitted argument names for this function

Show omitted argument names for this function

copyEvent() Examples

We store the event both with the timestamp from the event, but also as a separate stream based on arrival time. This assumes the event has a type that is not arrivaltime.

logscale
copyEvent("arrivaltime")
| case { #type=arrivaltime
| @timestamp:=now() ; *
| parseTimestamp(field=ts) }

An example of copying event from one repo to another, which can only be used in a parser, for example Multiple Repositories

logscale
copyEvent("cloned_event")
| case { #type="cloned_event"
| repo := "target-repo-name"; * }