This makes an extra copy of the event, thus the next step in the pipeline will see both events. This is mostly useful in the parser pipeline.

If you are using this function to copy an event to another repository, the ALLOW_CHANGE_REPO_ON_EVENTS environment variable must be set to true.

Function Traits: Transformation

ParameterTypeRequiredDefaultDescription
type[a]stringrequired  The value for #type for the copy.

[a] The argument name type can be omitted.

The parameter name for type can be omitted; the following forms are equivalent:

logscale
copyEvent("value")

and:

logscale
copyEvent(type="value")

copyEvent() Examples

We store the event both with the timestamp from the event, but also as a separate stream based on arrival time. This assumes the event has a type that is not arrivaltime.

logscale
copyEvent("arrivaltime")
| case { #type=arrivaltime
| @timestamp:=now() ; *
| parseTimestamp(field=ts) }

An example of copying event from one repo to another, which can only be used in a parser, for example Multiple Repositories

logscale
copyEvent("cloned_event")
| case { #type="cloned_event"
| repo := "target-repo-name"; * }