Help with Split Filter

Hello

I'm trying to create two events out of one so that the subsequent pipeline takes place in both.

The event itself, before the split happens here:

filter {
   if [type] == "pre-split" {
     mutate {
       replace => {"value_1" => "value_1_pre"}
       replace => {"value_2" => "value_2_pre"}
       replace => {"value_3" => "value_3_pre"}
       replace => {"value_4" => "value_4_pre"}
     }
   }
}

My idea is to separate this event into two, the first with the values 1 and 2 and the second with the values 3 and 4.

It is not clear to me if what I want is possible or if it is with the split filter that I have to do it.

I'm a bit stuck on this topic and a little help would be great for me. Thanks in advance!

A split filter is used to take each entry in an array and create an event for it. (It can also split a delimited string into an array and then do the same.)

I think what you want is a clone filter.

clone { clones => [ "theClone" ] }
if [type] == "theClone" {
    # Do one thing
} else {
    # Do another
}

Thanks @Badger !

So the idea would be something like this?

filter {
   
   if [type] == "pre-split" {
        
        mutate {
        replace => {"value_1" => "value_1_pre"}
        replace => {"value_2" => "value_2_pre"}
        replace => {"value_3" => "value_3_pre"}
        replace => {"value_4" => "value_4_pre"}
        }

        clone { clones => [ "value12" ] }

        if [type] == "value12" {
            mutate { remove_field => [ "value_3_pre","value_4_pre" ]  }
        } else {
            mutate { type => "value34" }
            mutate { remove_field => [ "value_1_pre","value_2_pre" ]  ​}
        }
    }
}

So I understand that the two "events" that have been generated from the original will be processed separately as shown in the following image?

I have made this drawing (sorry for my lack of artistics) that I don't know if it would help to understand what I want to do:

clone_pipeline1868×587 9.89 KB

That looks right.