Introduce event aggregator feature

[gbossert]

This PR introduces the event aggregator feature in the SDK.
Some work must still be done to find a way to transparently integrate it in connectors logic without major performance impact.

[github-actions]

Test Results

168 tests  +6   167 ✔️ +6   1m 33s ⏱️ -2s
    1 suites ±0       1 💤 ±0 
    1 files   ±0       0 ❌ ±0 

Results for commit dde0103. ± Comparison against base commit aa1101d.

♻️ This comment has been updated with latest results.

[Darkheir]

Nice work, we will indeed need to find a way to integrate it in the connectors code so we could benefit from those aggregation capabilities.

[Darkheir]

Suggested change

	xxhash.xxh64(
	f"{event_dialect_uuid};{fingerprint.build_hash_str_func(event)}"
	).hexdigest(),
	xxhash.xxh3_64_hexdigest(
	f"{event_dialect_uuid};{fingerprint.build_hash_str_func(event)}"
	),

[gbossert]

fixed

[Darkheir]

Suggested change

	import xxhash as xxhash
	import xxhash

[gbossert]

pycharm you are drunk. thank you @Darkheir

[gbossert]

fixed

[Darkheir]

I'm not sure this attribute is set in the events. The workflow sets it, but in the connectors we usually only have the intake key.

[gbossert]

I removed the need to explicit the dialect as an aggregation engine will be configured for each connector with their specific dialects

[Darkheir]

Maybe we could have a single function that, if it returns None, will omit aggregation ?

The idea behind it is to avoid to have to iterate the events twice, once to check if it can be aggregated and a second time to calculate the fingerprint.

Suggested change

	condition_func: Callable[[dict], bool]
	build_hash_str_func: Callable[[dict], str]
	build_hash_str_func: Callable[[dict], str | None]

[gbossert]

applied

[Darkheir]

Suggested change

ttl: int # ttl value

[gbossert]

fixed

[Darkheir]

Suggested change

	aggregated_event = copy.deepcopy(self.event)
	aggregated_event["sekoiaio"]["repeat"] = {
	aggregated_event = copy.deepcopy(self.event)
	aggregated_event.setdefault("sekoiaio", {})
	aggregated_event["sekoiaio"]["repeat"] = {

[gbossert]

fixed

[Darkheir]

Improvement that could be added later:

If the lock becomes a bottleneck a common solution is to use shards to avoid lock contention.

Based on the fingerprint the Aggregations would be stored in 1 of the n shards. The lock to access or write a key would then need to lock only 1 shard, allowing other threads to read/write in the other shards at the same time.

[gbossert]

This approach looks very interesting.
The main issue that prevented me from implementing on this initial version is the complexity that comes with the following expectation that every shard must be handled by dedicated threads to prevent one locked shard to block the others.

But obviously, if you believe this current version will have a major impact on the performances of a collector I will implement this sharding mecanism in this PR.

[Darkheir]

I agree with you, let's not add complexity that may not even bee needed.

It was just a thought I got while reviewing your code :)

[codecov]

Codecov Report

Attention: 6 lines in your changes are missing coverage. Please review.

Comparison is base (aa1101d) 95.83% compared to head (dde0103) 95.74%.

Additional details and impacted files

@@            Coverage Diff             @@
##             main      #87      +/-   ##
==========================================
- Coverage   95.83%   95.74%   -0.09%     
==========================================
  Files          26       27       +1     
  Lines        1897     1998     +101     
==========================================
+ Hits         1818     1913      +95     
- Misses         79       85       +6     

Files	Coverage Δ
sekoia_automation/connector/event_aggregator.py	94.05% <94.05%> (ø)

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[gbossert]

Unfortunately, the connector class doesn't expose a method that gives access to a parsed version of the event. Instead it only have access to the str version of the event.
For this reason, we cannot transparently enable aggregation.

[Darkheir]

Unfortunately, the connector class doesn't expose a method that gives access to a parsed version of the event. Instead it only have access to the str version of the event. For this reason, we cannot transparently enable aggregation.

So maybe we could expose an aggregate method (or any other name) that would allow to perform aggregations.
It would take a list of events (dicts) and return the events to send.
If the event belongs to an already existing aggregation bucket then it will not be in the returned data.
We could add the events from the expired TTL buckets to the list.