Global vs Local Variables
Some of our team recently attended ArcSight training. On return to work we seemed to have some quite different views on the relative impacts of global versus local variables than it would be nice to get cleared up. I haven't managed to find clarification in the documentation, discussions/questions here or in the Knowledgebase so thought I would pose the question here.
My understanding was that variables (irrespective of being local or global) caused a processing overhead and could affect performance. You make global variables if it is variable than will be reused but that there was no inherent performance cost difference between global and local variables? How much of a performance hit the variable caused depended on the relative complexity of the variable and the resource it was used in ie OK in reports but not so good in active channels where variable logic being applied to all events in the channel.....
Others have a perspective now that global variables are somehow inherently bad and that we should only use local variables in content and global variable extremely sparingly. They think global variables are somehow done at a connector level or similar on every event that comes into ESM and stored somewhere??
Perhaps I am wrong but I would have though the variable, regardless of type, would just dynamically do the variable logic thing as required. So in the example of an active channel if it was filtering out 99.999% of events then variable logic would only be applied to the 0.001% of events we were interested in, and not every event that hits ESM.
Recreating variables as local variable in many resources is labour intensive and error prone and would seem to defeat the whole purpose of global variables. Given how many global variables ArcSight creates for the like of actor use cases it would seem that global variables can't be that bad....
So, is there any performance difference between local and global variables? If someone could point us to a definitive source of truth on this that would be much appreciated.
Re: Global vs Local Variables
Global variables are evaluated once per event, as needed and shared.
Using variables in active channels can negatively impact performance and favor not doing so. Knowing this made me curious and I did testing on exactly that, with one set of tests using global variables, and another using local ones.
The variables were placed in an active channel as a custom column and their responsiveness observed. I found the channels were much more responsive and displayed much quicker when using local variables, whereas global ones took several seconds longer (sometimes 10-20s longer).
From this I can only assume that using local variables are more efficient. This may not be completely accurate as I didn't test all variable types, never tried in various other resources, nor did I retry with differing complexity. Also my tests were done way back using ESM 6.0.
Still, I hope this observation helps!