Note that you could do it using a single pipeline, but this is a terrible idea, since if you get anything wrong it sets up an infinite loop, like this
input {
beats { port => 5044 }
tcp { port => 5144 codec => cef {} }
}
output {
if "forcepoint" in [tags] {
tcp { port => 5144 }
} else {
elasticsearch { ... }
}
}
Where you might get away with
input {
beats { port => 5044 }
tcp { port => 5144 codec => cef {} tags => [ "decoded" ] }
}
output {
if "forcepoint" in [tags] and "decoded" not in [tags] {
tcp { port => 5144 }
} else {
elasticsearch { ... }
}
}