Skip to content

Prefer set with copy_from #15279

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

Prefer set with copy_from #15279

wants to merge 3 commits into from
+10 −10

Conversation

joegallo
Copy link
Contributor

@joegallo joegallo commented Sep 10, 2025
edited
Loading

Proposed commit message

Prefer the copy_from option of the set processor for high certain high volume integrations.

When the field to be copied is already just a string, and so the set processor with mustache isn't being used for the side effect of converting to a string, then it's quite a bit faster to use copy_from rather than value (with mustache templating).

For example, in a large cluster that I was looking at a few minutes ago, the most expensive single set processor is this one:

{
  "set": {
    "field": "cloud.account.id",
    "if": "ctx.aws?.vpcflow?.account_id != null",
    "value": "{{aws.vpcflow.account_id}}"
  }
}

It's taking 2.8 microseconds per doc, as compared to the average of all set processor invocations for the same pipeline which is only .6 microseconds per doc. The cluster in question is processing billions and billions of documents per hour, though, so microseconds add up (and this particularly-expensive set processor is the eighth-most expensive processor for the entire pipeline).

I'm marking this a draft because I'm not 100% absolutely sure about my changes or the correct process for PRs on this repo.

@joegallo
Prefer set with copy_from
a79b6aa 
because copy_from is faster than value (when the value is a mustache
template that merely does field access).
@elastic-vault-github-plugin-prod
Copy link

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@joegallo
Copy link
Contributor Author

/test benchmark fullreport

@andrewkroh andrewkroh added Integration:panw Palo Alto Next-Gen Firewall Integration:aws AWS Integration:gcp Google Cloud Platform labels Sep 10, 2025
@andrewkroh
Copy link
Member

/test benchmark fullreport

@elasticmachine
Copy link

💚 Build Succeeded

History

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
>enhancement Integration:aws AWS Integration:gcp Google Cloud Platform Integration:panw Palo Alto Next-Gen Firewall
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@joegallo @andrewkroh @elasticmachine