copyEvent( ) Query Function

This makes an extra copy of the event, thus the next step in the pipeline will see both events. This is mostly useful in the parser pipeline.


Name Type Required Default Description
type string Yes The value for #type for the copy.

type is the unnamed parameter.


We store the event both with the timestamp from the event, but also as a separate stream based on arrival time. This assumes the event has a type that is not arrivaltime.

copyEvent("arrivaltime") | case { #type=arrivaltime | @timestamp:=now() ; * | parseTimestamp(field=ts) }