Prefer set with copy_from

joegallo · joegallo · commit 4adb4965189d · 2025-10-30T14:49:18.000-04:00
because copy_from is faster than value (when the value is a mustache
template that merely does field access).
diff --git a/packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/default.yml b/packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/default.yml
@@ -20,7 +20,7 @@ processors:
   - set:
       tag: set_event_timezone_ab6989dd
       field: event.timezone
-      value: '{{{_conf.tz_offset}}}'
+      copy_from: _conf.tz_offset
       if: ctx._conf?.tz_offset instanceof String && !ctx._conf.tz_offset.equalsIgnoreCase('local')
 
   # Collects the first few parts of the message to be used for conditional parsing later
@@ -370,7 +370,7 @@ processors:
       tag: set_session_start_time_ee5db372
       if: ctx.panw?.panos?.parent_session?.start_time != null
       field: session.start_time
-      value: '{{{panw.panos.parent_session.start_time}}}'
+      copy_from: panw.panos.parent_session.start_time
 
   # Remove NAT fields when translation was not done.
   - remove:
@@ -1852,7 +1852,7 @@ processors:
   - set:
       tag: set_rule_name_809e7c7b
       field: rule.name
-      value: '{{{panw.panos.ruleset}}}'
+      copy_from: panw.panos.ruleset
       ignore_empty_value: true
       if: ctx.rule?.name == null
   - append:
