Makes an extra copy of the event, thus the next step in the pipeline will see both events. This is mostly useful in the parser pipeline.

For On-Prem deployments only: If you are using this function to copy an event to another repository, the ALLOW_CHANGE_REPO_ON_EVENTS environment variable must be set to true.

ParameterTypeRequiredDefaultDescription
type[a]stringrequired  The value for #type for the copy.

[a] The argument name type can be omitted.

Omitted Argument Names

The argument name for type can be omitted; the following forms of this function are equivalent:

logscale
copyEvent("value")

and:

logscale
copyEvent(type="value")

These examples show basic structure only; full examples are provided below.

copyEvent() Examples

We store the event both with the timestamp from the event, but also as a separate stream based on arrival time. This assumes the event has a type that is not arrivaltime.

logscale
copyEvent("arrivaltime")
| case { #type=arrivaltime
| @timestamp:=now() ; *
| parseTimestamp(field=ts) }

An example of copying event from one repo to another, which can only be used in a parser, for example Multiple Repositories

logscale
copyEvent("cloned_event")
| case { #type="cloned_event"
| repo := "target-repo-name"; * }