[panw] Prefer set with copy_from and ignore_empty_value #15800
Conversation
ignore_empty_value shortcuts within the processor itself, while ignore_failure means that the processor throws an exception (expensive) and the exception is caught.
I don't think these have value beyond the semantics of what ignore_empty_value already does (but perhaps I'm wrong!).
For the same reason as preferring ignore_empty_value on the set processors
|
@joegallo, this looks great! I've actually been working on tool for helping make bulk changes to integrations (eventually will make its way into elastic-package, but working on some yaml AST modification stuff in the mean time), and something like this would be an easy and quick addition. I'll take a closer look at this PR and let you know if anything needs adjusting. Edit: Also worth mentioning that we are also going to take a look at our use of |
There was a problem hiding this comment.
Code changes seem fine, we just need to add an entry in the changelog and bump the version in the manifest. If you have elastic-package installed, you can use the changelog subcommand:
elastic-package changelog add --next patch --type enhancement --description 'Prefer set with ignore_empty_value.' --link 'https://github.com/elastic/integrations/pull/15800'
taylor-swanson
added
enhancement
taylor-swanson
changed the title
|
While we are on this topic... There are also usages like this: set:
field: user.name
value: "{{{destination.user.name}}}"
ignore_failure: true
if: ctx.user?.name == nullAny reasons why we'd use templates over set:
field: user.name
copy_from: destination.user.name
ignore_empty_value: true
override: false |
Not for the ordinary case! See #15279 for some of my thoughts on that. |
Ooh, yeah, I don't specifically have a pre-built opinion on that one yet! Naively I'd guess that in the current implementation of things, the Is there an integration that you're aware of that does that a whole lot? |
I think we use it quite extensively in our integrations. Probably not for any particular reason other than someone did it in the past and everyone else followed suit. I could see why
Putting this on my wish list 😄 |
| tag: set__temp__external_zones_20b326b7 | ||
| field: _temp_.external_zones | ||
| copy_from: _conf.external_zones | ||
| if: ctx._conf?.external_zones != null |
There was a problem hiding this comment.
To get extremely pedantic, though -- my change here (and in the next stanza) could actually be a change in behavior.
The prior logic with the if: script would not copy_from a null value, but it would copy_from an empty string. The new logic with ignore_empty_value will ignore nulls and it will also ignore empty strings.
I don't imagine that that difference in behavior actually matters, but I don't want to let it sneak by without comment/consideration.
There was a problem hiding this comment.
I don't think that should matter here, thankfully. _conf.external_zones and _conf.internal_zones is set by the integration config to always be either null or an array of strings.
To be honest, I'm not really sure why these processors even exist (since we could just use the conf fields directly), but that's a topic for a different day 😄.
|
/test benchmark fullreport |
🚀 Benchmarks reportTo see the full report comment with |
joegallo
changed the title
because copy_from is faster than value (when the value is a mustache template that merely does field access).
💚 Build Succeeded
History
|
|
Pinging @elastic/integration-experience (Team:Integration-Experience) |
|
The current benchmark report #15800 (comment) is showing as blank (🤷!) but prior to my most recent commit here (4adb496) that should make things even faster, it was showing this: 
|
| tag: set__temp__external_zones_20b326b7 | ||
| field: _temp_.external_zones | ||
| copy_from: _conf.external_zones | ||
| if: ctx._conf?.external_zones != null |
There was a problem hiding this comment.
I don't think that should matter here, thankfully. _conf.external_zones and _conf.internal_zones is set by the integration config to always be either null or an array of strings.
To be honest, I'm not really sure why these processors even exist (since we could just use the conf fields directly), but that's a topic for a different day 😄.
3 participants
Proposed commit message
Prefer the
ignore_empty_valueoption of thesetprocessor for thepanosthreatandtrafficpipelines, and prefer thecopy_fromoption of thesetprocessor for thepanospipeline.The logic applies elsewhere, too, but I'm limiting the scope of this change as a proof-of-concept.
ignore_failureoperates by catching and ignoring whatever exception(s) might be thrown by the tagged processor, so the (somewhat unfortunate) default behavior of thesetprocessor to throw an exception on an absent value ends up being surprisingly expensive. By way of contrast,ignore_empty_valuedoes what it says, it just ignores the empty value and moves on. So the latter is faster and the former is slower.The
copy_fromchange was originally part of #15279, but I've pulled it into this PR in order to have all mypanwchanges in a single place. As with theignore_failurechange, this is a performance optimization: when the field to be copied is already just a string, and so the set processor with mustache isn't being used for the side effect of converting to a string, then it's quite a bit faster to use copy_from rather than value (with mustache templating).This doesn't matter much for a low volume integration, or one that only uses a handful of
setprocessors, but with manysetprocessors being executed many times it can start to add up.