Makes an extra copy of the event, thus the next step in the pipeline will see both events. This is mostly useful in the parser pipeline.
For On-Prem deployments only: If you are using this function to copy an
event to another repository, the
ALLOW_CHANGE_REPO_ON_EVENTS
environment variable must be
set to true
.
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
type
can be omitted; the following forms of this function are equivalent:logscale SyntaxcopyEvent("value")
and:
logscale SyntaxcopyEvent(type="value")
These examples show basic structure only.
copyEvent()
Examples
We store the event both with the timestamp from the event, but also as a separate stream based on arrival time. This assumes the event has a type that is not arrivaltime.
copyEvent("arrivaltime")
| case { #type=arrivaltime
| @timestamp:=now() ; *
| parseTimestamp(field=ts) }
An example of copying event from one repo to another, which can only be used in a parser, for example Ingesting Data to Multiple Repositories
copyEvent("cloned_event")
| case { #type="cloned_event"
| repo := "target-repo-name"; * }