Feb 4, 2026 · @tobim, @codex · #5703
AWS operators now support OIDC-based authentication via the AssumeRoleWithWebIdentity API.
You can authenticate with AWS resources using OpenID Connect tokens from external identity providers like Azure, Google Cloud, or custom endpoints. This enables secure cross-cloud authentication without sharing long-lived AWS credentials.
Configure web identity authentication in any AWS operator by specifying a token source and target role:
from_s3 "s3://bucket/path", aws_iam={
region: "us-east-1",
assume_role: "arn:aws:iam::123456789012:role/cross-cloud-role",
web_identity: {
token_file: "/path/to/oidc/token"
}
}
The web_identity option accepts three token sources: token_file (path to a token file), token_endpoint (HTTP endpoint that returns a token), or token (direct token value). For HTTP endpoints, you can extract tokens from JSON responses using path.
Credentials automatically refresh before expiration, with exponential backoff retry logic for transient failures. This is especially useful for long-running pipelines that need persistent authentication.
Mar 30, 2026 · @jachris · #5954
Pipelines that use and, or, or if-else expressions run significantly faster in certain cases — up to 30× in our benchmarks. The improvement is most noticeable in pipelines with complex filtering or branching logic. No pipeline changes are needed to benefit.
Mar 23, 2026 · @mavam, @codex · #5939
The ocsf::derive operator now supports OCSF 1.8.0 events.
For example, you can now derive enum and sibling fields for events that declare
metadata.version: "1.8.0":
from {metadata: {version: "1.8.0"}, class_uid: 1007}
ocsf::derive
This keeps OCSF normalization pipelines working when producers emit 1.8.0
events.
Platform configuration validation now provides clearer error messages when an invalid configuration is encountered, helping you quickly diagnose and fix configuration issues.
Setting TENZIR_ENDPOINT to an unresolvable hostname no longer crashes the pipeline with a segfault.
Mar 25, 2026 · @mavam, @claude · #5949
ocsf::derive no longer emits a false warning when an _id field is set
to 99 (Other) and the sibling string contains a source-specific value.
Per the OCSF specification, 99/Other is an explicit escape hatch: the
integer signals that the value is not in the schema's enumeration and the
companion string must hold the raw value from the data source. For
example, the following is now accepted silently:
from {
metadata: { version: "1.7.0" },
type_uid: 300201,
class_uid: 3002,
auth_protocol_id: 99,
auth_protocol: "Negotiate",
}
ocsf::derive
Previously this produced a spurious warning: found invalid value for 'auth_protocol' because "Negotiate" is not a named enum caption.
Mar 24, 2026 · @lava
The Azure Blob Storage connector now handles Azure::Core::Http::TransportException
(e.g., SSL certificate errors) gracefully instead of crashing. Previously, a
self-signed certificate in the certificate chain would cause an unhandled
exception and terminate the node.
Mar 20, 2026 · @mavam, @codex · #20
This fixes the release candidate workflow so RCs no longer remain in changelog history after they have been superseded. Creating a new -rc.N now replaces the previous RC for that cycle, and creating a stable release closes the RC cycle and removes its RC manifests from releases/.
For example:
# Start an RC cycle for a later stable release.
tenzir-ship release create v1.2.3 --rc --yes
tenzir-ship release create v1.3.0 --yes
# Or promote the active RC to its matching stable release.
tenzir-ship release create v1.2.3 --rc --yes
tenzir-ship release create --yes
After the stable release is created, the RC is no longer kept in release history. Release candidates are also cumulative, so each new RC includes the previous RC's entries plus any newly added unreleased entries, while stable releases remain incremental.
]]>Mar 17, 2026 · @tobim
Feather store files now include a TENZIR:store:origin key in the Arrow table
schema metadata. The value is "ingest" for freshly ingested data, "rebuild"
for partitions created by the rebuild command, and "compaction" for partitions
created by the compaction plugin. This allows external tooling such as pyarrow
to distinguish how a partition was produced.
Mar 11, 2026 · @IyeOnline, @codex, @mavam, @raxyte · #5897
The to_clickhouse operator now supports dynamic table names via an expression
table=..., which must evaluate to a string. If the value is not a valid
table name, the events will be dropped with a warning.
With this change, the operator will also create a database if it does not exist.
The prime use-case for this are OCSF event streams:
subscribe "ocsf"
ocsf::cast encode_variants=true, null_fill=true
to_clickhouse table=f"ocsf.{class_name.replace(" ","_")}", ...
You can now install Tenzir on Apple Silicon macOS via Homebrew:
brew tap tenzir/tenzir
brew install --cask tenzir
You can also install directly without tapping first:
brew install --cask tenzir/tenzir/tenzir
The release workflow keeps the Homebrew cask in sync with the signed macOS package so installs and uninstalls stay current across releases.
The AWS Marketplace ECR repository tenzir-node was incorrectly populated with
the tenzir image. It now correctly ships tenzir-node, which runs a Tenzir
node by default.
If you relied on the previous behavior, you can restore it by setting tenzir
as a custom entrypoint in your ECS task definition.
The bundled Suricata schema now covers the remaining event types listed in the Suricata 8.0.3 EVE JSON format documentation: IKE (IKEv1/IKEv2), HTTP/2, PostgreSQL, and Modbus. This completes Suricata 8 schema coverage for Tenzir.
The read_syslog operator and parse_syslog function now accept RFC 5424 structured-data parameter names longer than 32 characters, which some vendors emit despite the specification limit.
For example, this message now parses successfully instead of being rejected:
<134>1 2026-03-18T11:00:51.194137+01:00 HOSTNAME abc 9043 23003147 [F5@12276 thx_f5_for_ignoring_the_32_char_limit_in_structured_data="thx"] broken example
This improves interoperability with vendor syslog implementations that exceed the RFC limit for structured-data parameter names.
Mar 14, 2026 · @aljazerzen · #5906
The batch timeout was only checked when a new event arrived, so a single event followed by an idle stream would never be emitted. The timeout now fires independently of upstream activity.
Mar 13, 2026 · @jachris · #5901
The parse_winlog function could fragment output into thousands of tiny
batches due to type conflicts in RenderingInfo/Keywords, where events with
one <Keyword> emitted a string but events with multiple emitted a list.
Additionally, EventData with unnamed <Data> elements is now always emitted
as a record with _0, _1, etc. as field names instead of a list.
Mar 12, 2026 · @jachris · #5899
The in operator for list expressions is up to 33x faster. Previously it
created and finalized entire Arrow arrays for every element comparison, causing
severe overhead for expressions like EventID in [5447, 4661, ...].
Additionally, comparing a typed null value with == now returns false instead
of null, and != returns true, fixing a correctness issue with null
handling in equality comparisons.
Mar 12, 2026 · @jachris · #5899
The in operator fast path now correctly prevents comparison of secret values.
Previously, secret_value in [...] would silently compare instead of returning
null with a warning, bypassing the established secret comparison policy.
Mar 12, 2026 · @jachris · #5900
Pattern equality checks now correctly consider the case-insensitive flag. Previously, two patterns that differed only in case sensitivity were treated as equal, violating the hash/equality contract.
Mar 12, 2026 · @jachris · #5899
Splitting Arrow arrays for string and blob types no longer over-reserves memory. Previously both output builders reserved the full input size each, using up to twice the necessary memory.
]]>tenzir-ship now supports release candidates via release create --rc. Creating a release candidate snapshots the current unreleased entries without consuming them, so you can iterate on -rc.N releases before promoting one to the final stable release. The stable base is inferred automatically, and rerunning the command continues the matching RC series when one already exists.
When you are ready to ship the stable release, rerun tenzir-ship release create without --rc and the latest outstanding release candidate becomes the matching stable release automatically. Once an RC series exists, you either continue it with release create --rc or promote the latest candidate with the normal stable command.
Publishing a release candidate now automatically creates a GitHub prerelease and prevents it from being marked as latest. release version and show latest continue to resolve the latest stable release, while release publish without an explicit version now targets the latest release manifest, including RCs. The bundled GitHub Actions release workflows accept rc so you can keep creating RCs from CI, and the default stable workflow promotes the latest outstanding candidate automatically.
Fixed a scheduling issue introduced in v5.24.0 that could cause the node to
become unresponsive when too many pipelines using detached operators like
from_udp were deployed simultaneously.
The bundled Suricata schema now includes types for four previously missing event types: ike, http2, pgsql, and modbus.
The ike type supports both IKEv1 and IKEv2 traffic. Version-specific fields are contained within dedicated ikev1 and ikev2 sub-objects, covering key exchange payloads, nonce payloads, client proposals, vendor IDs, and IKEv2 role/notify information.
The http2 type models HTTP/2 request and response streams including settings frames, header lists, error codes, and stream priority.
The pgsql type covers PostgreSQL session events with full request fields (simple queries, startup parameters, SASL authentication) and response fields (row counts, command completion, parameter status).
The modbus type captures industrial Modbus protocol transactions including function codes, access types, exception responses, diagnostic subfunctions, and MEI encapsulated interface data.
Mar 13, 2026 · @mavam, @codex · #5902
read_syslog and parse_syslog now extract a leading RFC 5424-style
structured-data block from RFC 3164 message content.
This pattern occurs in practice with some VMware ESXi messages, where
components such as Hostd emit a legacy syslog record and prepend structured
metadata before the human-readable message text.
For example, this raw syslog line:
<166>2026-02-11T18:01:45.587Z esxi-01.example.invalid Hostd[2099494]: [Originator@6876 sub=Vimsvc.TaskManager opID=11111111-2222-3333-4444-555555555555] Task Completed
now parses as:
{
facility: 20,
severity: 6,
timestamp: "2026-02-11T18:01:45.587Z",
hostname: "esxi-01.example.invalid",
app_name: "Hostd",
process_id: "2099494",
structured_data: {
"Originator@6876": {
sub: "Vimsvc.TaskManager",
opID: "11111111-2222-3333-4444-555555555555",
},
},
content: "Task Completed",
}
Events without extracted structured data keep the existing syslog.rfc3164
schema. Events with extracted structured data use
syslog.rfc3164.structured.
Mar 10, 2026 · @IyeOnline, @satta · #5888
The bundled Suricata schema now aligns with Suricata 8, enabling proper parsing and representation of events from Suricata 8 deployments.
This update introduces support for new event types including POP3, ARP, and BitTorrent DHT, along with enhancements to existing event types. QUIC events now include ja4 and ja4s fields for fingerprinting, DHCP events include vendor_class_identifier, and TLS certificate timestamps now use the precise time type instead of string representation.
These schema changes ensure that Tenzir can reliably ingest and process telemetry from Suricata 8 without data loss or type mismatches.
Mar 11, 2026 · @jachris · #5893
In some situations, pipelines could not be successfully started, leading to timeouts and a non-responsive node, especially during node start.
Mar 10, 2026 · @IyeOnline, @codex · #5886
Pipelines using chained list transforms such as xs.where(...).map(...).where(...) no longer trigger an internal assertion on sliced input batches.
Mar 9, 2026 · @mavam, @codex · #5877
Invalid Google Cloud credentials in from_google_cloud_pubsub no longer crash the node. Authentication errors now surface as operator diagnostics instead.
Mar 12, 2026 · @lava
We upgraded Python dependencies and added system-level package upgrades to the Docker images to address known vulnerabilities.
Mar 11, 2026 · @realllydan
We fixed an issue where switching away from a pipeline that has the Insights tab available to one that does not could leave the tab selection in an invalid state.
]]>The bundled GitHub Actions workflows now use Node 24-compatible action versions, which keeps CI, release, and publishing automation aligned with GitHub's runtime transition. The release and sync workflows also mint GitHub App installation tokens without relying on a deprecated JavaScript action.
Release commands and the Python API now handle release versions more consistently when changelog data mixes tag-style versions such as v1.2.3 with bare semantic versions such as 1.2.3. This improves compatibility with existing changelog histories and makes release automation more reliable across commands that inspect, create, show, and publish releases.
Skipping a test no longer modifies its baseline file. Previously, running
with --update would overwrite the baseline of a skipped test with an empty
file, and running without --update would fail if the baseline was non-empty.
Skipped tests now leave existing baselines untouched, so toggling a skip
condition no longer causes unrelated baseline churn.
init command scaffolds changelog projects interactively or non-interactively, so you can set up a standalone or package-based project in less time. It also protects existing projects from accidental overwrites.
A new init command allows for scaffolding a new changelog project interactively or with the --yes flag. It supports both standalone and package modes, and prevents accidental overwriting of existing projects.
tenzir-ship init
This reduces the manual effort required to set up a new changelog.
]]>Mar 10, 2026 · @lava
The app container now supports a PRIVATE_WEBSOCKET_GATEWAY_ENDPOINT environment variable that overrides the existing PUBLIC_WEBSOCKET_GATEWAY_ENDPOINT for calls in the app backend. This allows configuring different endpoints when the frontend and backend live in different networks.
Mar 10, 2026 · @realllydan
The pipeline detail modal now includes an experimental Insights tab that visualizes per-operator backpressure, helping users identify bottlenecks in their pipelines. This tab is only available for pipelines running on the experimental new executor.
Mar 10, 2026 · @lava
We fixed an issue where ephemeral nodes were causing the frontend to fail to render or be displayed with incorrect connection status.
]]>Mar 2, 2026 · @mavam, @codex · #5851
parse_syslog() and read_syslog now accept common Check Point structured-data variants that are not strictly RFC 5424 compliant. This includes key:"value" parameters, semicolon-separated parameters, and records that omit an SD-ID entirely.
For records without an SD-ID, Tenzir now normalizes the structured data under checkpoint_2620, so downstream pipelines can use a stable field path.
For example, the message <134>1 ... - [action:"Accept"; conn_direction:"Incoming"] now parses successfully and maps to structured_data.checkpoint_2620. This improves interoperability with Check Point exports and reduces ingestion-time preprocessing.
Mar 6, 2026 · @IyeOnline · #5805
JSON parsing errors now display the surrounding bytes at the error location. This makes it easier to diagnose malformed JSON in your data pipelines.
For example, if your JSON is missing a closing bracket, the error message shows you the bytes around that location and marks where the parser stopped expecting more input.
Mar 4, 2026 · @tobim, @codex · #5865
The load_tcp operator now makes DNS hostname resolution opt-in with the resolve_hostnames parameter (defaults to false).
Previously, the operator always attempted reverse DNS lookups for peer endpoints, which could fail in environments without working reverse DNS configurations. Now you can enable this behavior by setting resolve_hostnames to true:
load_tcp endpoint="0.0.0.0:5555" resolve_hostnames=true {
read_json
}
When enabled and DNS resolution fails, the operator emits a warning diagnostic (once) instead of failing. This allows the operator to continue functioning in environments where reverse DNS is unavailable or unreliable.
Mar 6, 2026 · @IyeOnline · #5805
We improved the reporting for unexpected diagnostics outside of operator execution, such as during startup. In these cases you will now get the diagnostic message.
Mar 6, 2026 · @IyeOnline · #5805
Fixed multiple issues that could cause errors or incorrect behavior when the schema of parsed events changes between records. This is particularly important when ingesting data from sources that may add, remove, or modify fields over time.
Schema mismatch warnings for repeated fields in JSON objects (which Tenzir interprets as lists) now include an explanatory hint, making it clearer what's happening when a field appears multiple times where a single value was expected.
]]>Mar 5, 2026 · @lava
When you click a deep link in Tenzir Platform but aren't logged in, you're now redirected to your original destination after signing in, instead of landing on the home page.
Feb 18, 2026 · @gitryder
We improved how the nodes list loads, making dependent views feel faster and more responsive across the platform.
Feb 27, 2026 · @gitryder
We fixed an issue where profile images from Gravatar and Microsoft accounts were blocked by the content security policy, causing broken or missing avatars.
Feb 27, 2026 · @gitryder
We fixed an issue where the diagnostics pane could show diagnostics from a different pipeline than the one currently open in the detail modal.
Feb 18, 2026 · @gitryder
We fixed an issue where the context list could appear in a random order when no search was active, causing items to jump around. The list now uses a stable alphabetical order so it stays consistent and easier to interact with.
Feb 18, 2026 · @gitryder
We fixed an issue where opening a pipeline link for a workspace you don’t have access to would log you out. You are now redirected to the access page where you can open the link in your default workspace.
]]>Mar 4, 2026 · @mavam, @claude, @codex
We improved clarity and efficacy of the releasing process in the tenzir-ship agent skill.
Mar 2, 2026 · @IyeOnline · #5855
We fixed a bug that could cause a crash when reading JSON data.
Mar 2, 2026 · @jachris · #5841
The CEF parser now handles unescaped = characters (which are not conforming to
the specification) by using a heuristic.
Mar 1, 2026 · @mavam, @claude, @codex · #11
The pi-tenzir-ship package provides a skill for AI coding agents to perform
release engineering tasks. Install it in Pi with:
pi install npm:pi-tenzir-ship
Then activate it with /skill:tenzir-ship.
The skill covers adding changelog entries, cutting standard and module releases, triggering GitHub Actions release workflows, and publishing releases to GitHub.
Feb 28, 2026 · @mavam, @codex · #10
The release creation command now automatically updates version fields in package manifest files during release. When creating a release, tenzir-ship detects and updates package.json, pyproject.toml, project.toml, and Cargo.toml files in your project, including support for dynamic version files in monorepo workspaces.
You can control this behavior with the release.version_bump_mode configuration option in your config.yaml:
auto (default): Automatically detect and update version filesoff: Skip version file updatesFor more granular control, use the release.version_files option to explicitly specify which files to update. Auto-detection searches the project root and parent directory (for nested changelog projects) and gracefully skips files without static version fields.
Release version selection now defaults to automatic bumping when you run
release create without an explicit version and without --patch, --minor,
or --major. The next version is inferred from unreleased entry types:
If no unreleased changelog entries exist, automatic bumping is not available. In that case, provide an explicit version or a manual bump flag to create an intro-only release.
The stats command now reports the computed next release version (or no value
when no automatic bump can be inferred), including in stats --json.
Feb 28, 2026 · @mavam, @codex · #9
Create releases with only introductory text and no changelog entries by using the --intro or --intro-file flags with release create. This is useful when re-publishing a package after yanking a previous artifact or retrying a failed publish workflow—scenarios where you want to create a new release version without adding changelog entries.
Previously, you had to provide at least one changelog entry to create a release. Now the release creation allows you to skip the entries entirely if you supply intro text. The --intro flag accepts text directly, while --intro-file reads from a Markdown file.
reusable-release.yaml now acts as a minimal opinionated wrapper around a new
reusable-release-advanced.yaml workflow.
The advanced workflow adds optional hooks and release controls for complex
consumers: pre/post publish scripts, non-main --no-latest publishing,
optional copy of release directories to main, latest branch updates, a
skip-publish dry-run mode, and workflow outputs for version and
is_latest.
Release commands now validate changelog directory structure before they run and fail fast when it is invalid.
release create and release publish now stop with explicit errors when stray files or directories are detected (for example, an unexpected changelog/next/ directory). Other commands (show, add, stats, and release version) emit warnings so layout problems are visible earlier, while validate reports full structural issues as regular validation errors.
Feb 15, 2026 · @mavam, @claude · #7
When a release step fails, the full command now prints below the progress panel so you can copy-paste it for manual recovery.
Previously, long commands would get truncated in the release progress panel, making it difficult to reproduce the failure manually. Now when a step fails, the complete command is displayed in full below the panel, giving you what you need to debug and retry the operation.
]]>Feb 27, 2026 · @mavam, @codex · #5846
The new experimental hmac function computes Hash-based Message
Authentication Codes (HMAC) for strings and blobs. It supports SHA-256
(default), SHA-512, SHA-384, SHA-1, and MD5 algorithms.
Note: The key parameter is currently a plain string because function
arguments cannot be secrets yet. We plan to change this in the future.
from {
signature: hmac("hello world", "my-secret-key"),
}
{
signature: "90eb182d8396f16d4341d582047f45c0a97d73388c5377d9ced478a2212295ad",
}
Specify a different algorithm with the algorithm parameter:
from {
signature: hmac("hello world", "my-secret-key", algorithm="sha512"),
}
Feb 27, 2026 · @IyeOnline · #5842
We fixed a bug that would cause an assertion failure "Index error: array slice would exceed array length". This was introduced as part of an optimization in Tenzir Node v5.27.0.
]]>Parallel suites are now scheduled more reliably when running with --jobs > 1, so interdependent tests (for example publisher/subscriber pairs) start together sooner instead of being delayed behind large backlogs of unrelated tests.
This update also adds an explicit correctness guard for parallel suites: you can set suite.min_jobs in test.yaml to declare the minimum job count required for valid execution. The run now fails fast if --jobs is lower than suite.min_jobs, and it also fails hard when a parallel suite cannot reserve at least min_jobs workers at runtime (for example under slot contention), instead of proceeding under-provisioned.
In addition, the harness now warns when a parallel suite has more tests than available jobs, making it easier to spot cases where effective suite parallelism is capped by worker count.
]]>Feb 24, 2026 · @lava
Fixed in issue where the platform plugin did not correctly use the
configured certfile, keyfile and cafile options for client
certificate authentication, and improved the error messages for TLS
issues during platform connection.
Feb 25, 2026 · @mavam, @codex · #32
Python fixture tests could fail with serialization errors when the test
configuration included enum values like mode: sequential in test.yaml.
These values are now properly converted to strings before being passed to
test scripts.
Feb 24, 2026 · @mavam, @codex · #29
Test suites can now execute their members in parallel by specifying mode: parallel in the suite configuration. By default, suites continue to run tests sequentially for stability and predictability.
To enable parallel execution, set mode: parallel in the test.yaml file alongside the suite configuration:
suite:
name: my-suite
mode: parallel
fixtures:
- node
Parallel suite execution is useful when tests within a suite are independent and can safely run concurrently. All suite members share the same fixtures and execute within the same fixture lifecycle, while test execution itself happens on separate threads. The suite thread pool is bounded by --jobs, so suite-level concurrency stays within the configured worker budget and does not scale unbounded with suite size.
Suite-level constraints like timeouts, fixture requirements, and capability checks still apply uniformly across all members, whether running sequentially or in parallel.
Feb 25, 2026 · @mavam, @codex · #31
Interrupting test runs with Ctrl+C now exits cleanly without leaking Python tracebacks from subprocess or fixture startup/teardown paths. Interrupt-shaped errors (including nested causes with signal-style return codes such as 130) are treated as graceful cancellation so the CLI reports interrupted tests instead of crashing.
Feb 24, 2026 · @mavam, @codex · #30
Shell test files (.sh) now always default to the "shell" runner, even when a directory-level test.yaml file specifies a different runner (for example, runner: tenzir). This makes shell scripts work reliably in mixed-runner directories without requiring explicit runner: frontmatter in each file. Explicit runner: declarations in test file frontmatter still take precedence and can override this behavior if needed.
Manual fixture control now behaves consistently for fixtures that declare dataclass options.
Previously, starting a fixture with acquire_fixture(...) could fail when no
explicit options were provided, even if the fixture defined defaults.
With this fix, current_options(...) returns default typed options in the
manual fixture-control path, so fixtures started manually and fixtures started
through normal test activation behave the same way.
Feb 22, 2026 · @mavam, @codex · #5819
The slice function now supports list types in addition to string. You can slice lists using the same begin, end, and stride parameters. Negative stride values are now supported for lists, letting you reverse or step backward through list data. String slicing continues to require a positive stride.
Example usage with lists:
[1, 2, 3, 4, 5].slice(begin=1, end=4) returns [2, 3, 4][1, 2, 3, 4, 5].slice(stride=-1) returns the list in reverse order[1, 2, 3, 4, 5].slice(begin=1, end=5, stride=-2) returns [5, 3]Feb 17, 2026 · @mavam, @codex · #5767
The sort function now supports two new parameters: desc for controlling
sort direction and cmp for custom comparison logic via binary lambdas.
Sort in descending order:
from {xs: [3, 1, 2]}
select ys = sort(xs, desc=true)
{ys: [3, 2, 1]}
Sort records by a specific field using a custom comparator:
from {xs: [{v: 2, id: "b"}, {v: 1, id: "a"}, {v: 2, id: "c"}]}
select ys = sort(xs, cmp=(left, right) => left.v < right.v)
{
ys: [
{v: 1, id: "a"},
{v: 2, id: "b"},
{v: 2, id: "c"},
],
}
The cmp lambda receives two elements and returns a boolean indicating whether
the first element should come before the second. Both parameters can be combined
to reverse a custom comparison.
Feb 17, 2026 · @tobim
The read_lines operator was accidently broken while it was ported
to the new execution API. This change restores its functionality.
HTTP header values containing colons are now parsed correctly.
]]>Feb 18, 2026 · @gitryder
We improved the clarity and usability of Explorer charts. Legends are now collapsible, easier to read, and support filtering series directly. Pie chart legends adapt better to available space, and tooltips provide clearer information.
We also expanded the chart color palette for better visual distinction between series, fixed bar chart x-axis labels overlapping when there are many data points, and refined chart layout and behavior for a smoother overall experience.
Feb 18, 2026 · @gitryder
Resolved an issue where your Google profile picture did not appear in the workspace switcher. The image now loads and displays correctly.
Feb 17, 2026 · @lava
Fixed a bug where the static workspace synchronization used stale loop variables during cleanup, causing stale workspaces to persist and the last configured workspace to be incorrectly deleted.
Feb 17, 2026 · @gitryder
We fixed an issue where pressing ESC to close a pipeline detail view caused the pipeline list to stop responding to clicks.
]]>Feb 22, 2026 · @mavam, @codex · #28
Test suites can now declare operator dependencies with a requires configuration key in test.yaml. When a required operator is unavailable in the target Tenzir build, you can gracefully skip the suite by pairing requires with skip: {on: capability-unavailable}.
The skip.on key now accepts either a single condition as a string or a list of conditions, letting you skip on either fixture-unavailable or capability-unavailable (or both). When a capability is unavailable and the suite doesn't opt into skipping, the test run fails with a clear error message listing the missing operators.
Example configuration in test.yaml:
requires:
operators: [from_gcs, to_s3]
skip:
on: capability-unavailable
reason: requires from_gcs and to_s3 operators
This ensures test suites targeting specific capabilities only run when those capabilities are present, improving test reliability in heterogeneous build environments.
]]>Feb 18, 2026 · @mavam, @codex · #27
Fixtures can now define assertion hooks that run after test execution completes while fixtures remain active. Define assertions using the assertions parameter with a frozen dataclass type, then pass fixture-specific assertion payloads under assertions.fixtures.<name> in test frontmatter. The framework automatically invokes the assert_test hook with assertion data before tearing down fixtures, letting you validate side effects like HTTP requests or log output.
Example usage with an HTTP fixture:
fixtures: [http]
assertions:
fixtures:
http:
count: 1
method: POST
path: /api/endpoint
body: '{"key":"value"}'
The HTTP fixture receives the typed assertion payload and validates that the expected request was received. Payload structure is fixture-defined, so fixtures can choose flat fields or nested schemas as needed.
Assertion checks are tracked separately from test counts in the run summary as pass/fail check metrics, so fixture-level validations are visible without changing total test counts.
]]>Feb 17, 2026 · @gitryder
We updated the Platform's underlying framework dependencies to include their latest security fixes.
]]>Feb 16, 2026 · @mavam, @codex · #26
The test harness no longer initializes fixtures for suites where all tests are statically skipped. Previously, fixtures were activated even when no tests would run, causing unnecessary startup overhead and potential errors.
Feb 16, 2026 · @mavam, @codex · #25
When a fixture becomes unavailable during test execution, the test harness now provides a clean error message instead of a Python traceback.
]]>Feb 15, 2026 · @mavam, @codex · #23, #24
tenzir-test now supports both coarse and fine-grained controls for running skipped tests.
Use --run-skipped as a sledgehammer, or --run-skipped-reason with the same matching semantics as --match (bare substring or glob):
tenzir-test --run-skipped
tenzir-test --run-skipped-reason 'maintenance'
tenzir-test --run-skipped-reason '*docker*'
If both options are provided, --run-skipped takes precedence.
Feb 15, 2026 · @mavam, @codex · #22
Writing container-based fixtures no longer requires duplicating boilerplate for runtime detection, process management, and readiness polling.
The new container_runtime module provides reusable building blocks that handle
the common plumbing: detecting whether Docker or Podman is available, launching
containers in detached mode, polling for service readiness, and tearing down
cleanly. Custom fixtures can import these helpers and focus on their
service-specific logic instead.
The built-in docker-compose fixture and the example project now use these
shared helpers internally.
Adds a built-in docker-compose fixture that starts and tears down Docker Compose services from structured fixture options.
The fixture validates Docker Compose availability, waits for service readiness (health-check first, running-state fallback), and exports deterministic service environment variables (including host-published ports).
Feb 14, 2026 · @mavam, @claude · #20
You can now start fixtures in foreground mode without running any tests by using the --fixture option. This lets you provision services (like a database or message broker) and use them in your workflow.
Specify fixture names or YAML-style configuration:
uvx tenzir-test --fixture mysql
uvx tenzir-test --fixture 'kafka: {port: 9092}' --debug
The harness prints fixture-provided environment variables like HOST, PORT, and DATABASE, then keeps services running until you press Ctrl+C. You can repeat --fixture to activate multiple fixtures. The option is mutually exclusive with positional TEST arguments.
Feb 12, 2026 · @mavam, @claude · #5753
User-defined operators in packages can now declare optional field-type parameters with null as the default value. This allows operators to accept field selectors that are not required to be provided.
When a field parameter is declared with type: field and default: null, you can omit the argument when calling the operator, and the parameter will receive a null value instead. You can then check whether a field was provided by comparing the parameter to null within the operator definition.
Example:
In your package's operator definition, declare an optional field parameter:
args:
named:
- name: selector
type: field
default: null
In the operator implementation, check if the field was provided:
set result = if $selector != null then "field provided" else "field omitted"
When calling the operator, the field argument becomes optional:
my_operator # field is null
my_operator selector=x.y # field is x.y
Only null is allowed as the default value for field parameters. Non-null defaults are rejected with an error during package loading.
Feb 11, 2026 · @mavam, @claude
The paginate parameter for the from_http and http operators now supports link-based pagination via the Link HTTP header.
Previously, pagination was only available through a lambda function that extracted the next URL from response data. Now you can use paginate="link" to automatically follow pagination links specified in the response's Link header, following RFC 8288. This is useful for APIs that use HTTP header-based pagination instead of embedding next URLs in the response body.
The operator parses the Link header and follows the rel=next relation to automatically fetch the next page of results.
Example:
from_http "https://api.example.com/data", paginate="link"
If an invalid pagination mode is provided (neither a lambda nor "link"), the operator now reports a clear error message.
Feb 6, 2026 · @mavam, @claude · #5721, #5738
The from_mysql operator lets you read data directly from MySQL databases.
Read a table:
from_mysql table="users", host="localhost", port=3306, user="admin", password="secret", database="mydb"
List tables:
from_mysql show="tables", host="localhost", port=3306, user="admin", password="secret", database="mydb"
Show columns:
from_mysql table="users", show="columns", host="localhost", port=3306, user="admin", password="secret", database="mydb"
And ultimately execute a custom SQL query:
from_mysql sql="SELECT id, name FROM users WHERE active = 1",
host="localhost",
port=3306,
user="admin",
password="secret",
database="mydb"
The operator supports TLS/SSL connections for secure communication with MySQL
servers. Use tls=true for default TLS settings, or pass a record for
fine-grained control:
from_mysql table="users", host="db.example.com", database="prod", tls={
cacert: "/path/to/ca.pem",
certfile: "/path/to/client-cert.pem",
keyfile: "/path/to/client-key.pem",
}
The operator supports MySQL's caching_sha2_password authentication method and automatically maps MySQL data types to Tenzir types.
Use live=true to continuously stream new rows from a table. The operator
tracks progress using a watermark on an integer column, polling for rows above
the last-seen value:
from_mysql table="events", live=true, host="localhost", database="mydb"
By default, the tracking column is auto-detected from the table's auto-increment primary key. To specify one explicitly:
from_mysql table="events", live=true, tracking_column="event_id",
host="localhost", database="mydb"
Feb 12, 2026 · @IyeOnline
We have significantly improved the performance of the write_lines operator.
Feb 12, 2026 · @mavam, @claude · #5752
User-defined operators in packages can now declare parameters with the secret type to ensure that secret values are properly handled as secret expressions:
args:
positional:
- name: api_key
type: secret
description: "API key to use for authentication"
Feb 5, 2026 · @mavam, @claude · #5728
The merge() function now performs a recursive deep merge when merging two records. Previously, nested fields were dropped when merging, so merge({hw: {sn: "XYZ123"}}, {hw: {model: "foobar"}}) would incorrectly produce {hw: {model: "foobar"}} instead of recursively merging the nested fields. The function now correctly produces {hw: {sn: "XYZ123", model: "foobar"}} by materializing both input records and performing a deep merge on them.
Feb 13, 2026 · @mavam, @claude · #19
Configuration override log messages now use relative paths and human-friendly formatting instead of absolute paths and raw Python repr output, making debug output easier to read.
]]>Feb 11, 2026 · @mavam, @claude · #18
Fixture options now support nested dataclass hierarchies, allowing you to structure complex configurations with multiple levels of organization.
Previously, fixture options were limited to flat fields. Now you can declare nested dataclasses as field types, and tests can pass deeply structured options through frontmatter:
fixtures:
- node:
server:
message:
greeting: world
Type safety is preserved across all nesting levels. Optional nested fields (declared with Optional[T] or T | None) are supported, and omitted nested records use their default values. The example server fixture demonstrates this capability with a message.greeting field that flows through to environment variables.
Feb 10, 2026 · @lava
We upgraded pnpm to 9.15.0 in the frontend Docker image to address CVE-2024-53866.
]]>Feb 10, 2026 · @mavam, @claude · #17
Fixtures can now receive typed configuration options passed from test YAML files.
Declare options on a fixture with @fixture(options=MyDataclass), where MyDataclass is a frozen dataclass. Tests can then provide structured options in their frontmatter using either compact syntax (for simple cases) or expanded syntax (for clarity):
fixtures:
- node:
tls: true
port: 8443
- http:
port: 9090
The @fixture decorator validates that option keys match the dataclass fields, and the fixture retrieves its typed instance using current_options(name). When options aren't provided, fixtures receive a default-constructed instance of their options class.
The feature maintains backward compatibility with the existing fixtures: [node, http] syntax for fixtures without options.
Feb 3, 2026 · @mavam, @claude · #5715
The sigma operator now correctly loads all rules when given a directory containing multiple Sigma rule files. Previously, only the last processed rule file would be retained because the rules collection was being cleared on every recursive directory traversal.
sigma "/path/to/sigma/rules"
All rules found in the directory and its subdirectories will now be loaded and used to match against input events.
]]>You can now click on the Ingress or Egress legend item to isolate that series in the activity chart. Clicking again shows both series, making it easier to analyze each metric when lines overlap.
Feb 6, 2026 · @gitryder
We added a toggle in the Explorer table Inspector that lets you wrap lines for easier reading.
We now display the current platform version at the bottom of the workspace switcher dropdown,️ making it easier to always see which version you’re on.
Jan 28, 2026 · @gitryder · #38
We added sorting for the Live Activity column in the pipelines table, so you can easily order pipelines by their activity level.
Jan 28, 2026 · @gitryder · #29
We unified the Available and Installed library tabs into a single view, so you can see which packages are installed without switching tabs. You can also uninstall packages directly from the same page.
Feb 9, 2026 · @lava
We fixed a bug in the Inspector where strings containing backslashes were not displayed correctly. Backslashes were not being escaped in TQL string rendering. For example, a string like Hello \World\ was previously rendered as "Hello \World\" instead of "Hello \\World\\". The fix ensures backslashes are properly escaped when displayed.
skip
configurations in test.yaml failed with a JSON serialization error.
Python fixture tests that use skip in their test.yaml no longer fail with
Object of type SkipConfig is not JSON serializable.
-m/--match flag with automatic substring matching and centralizes skip handling in the engine for more consistent test reporting.
Feb 6, 2026 · @mavam, @claude · #16
The -m/--match flag now treats bare strings as substring matches automatically.
Previously, you had to use glob syntax like tenzir-test -m '*mysql*' to match tests by name. Now you can write tenzir-test -m mysql and it automatically matches any test path containing "mysql". This makes the common case of substring matching simpler and more intuitive.
Patterns that contain glob metacharacters (*, ?, [) still use fnmatch syntax as before, so existing patterns with wildcards continue to work exactly as they did. This change is fully backwards-compatible.
Feb 6, 2026 · @mavam, @claude · #15
Skip handling now lives in the engine instead of individual runners. Skipped tests are recorded consistently in summary stats regardless of which runner executes them, so skip counts and paths in the test report are always accurate.
Previously, each runner duplicated the same skip-config parsing, which could
lead to inconsistent skip tracking. Custom runners no longer need to implement
skip logic because the engine evaluates the skip configuration before
dispatching to any runner.
-m/--match CLI option.
Feb 6, 2026 · @mavam, @claude · #13
Select tests by relative path using the new -m/--match option with fnmatch glob patterns. You can repeat the option to match multiple patterns, and tests matching any pattern are selected. When you combine TEST paths with -m patterns, the framework runs only tests matching both (intersection). If a matched test belongs to a suite configured via test.yaml, all tests in that suite are included automatically. Empty or whitespace-only patterns are silently ignored.
Example: tenzir-test -m '*context*' -m '*create*' runs all tests whose paths contain "context" or "create" anywhere in the name.
Feb 2, 2026 · @mavam, @claude · #12
The help text for the tenzir-test command now provides more context and guidance.
The command description now explains the baseline comparison behavior and shows how to regenerate baselines with the --update flag.
We fixed an issue where the workspace switcher dropdown did not open on the pipeline detail page.
Fixed a bug that could leave users with a stale user key in their session, causing authentication failures. The platform now proactively checks for expired user keys and refreshes them automatically.
]]>Jan 31, 2026 · @mavam, @claude
The test harness now supports .stdin files for piping data directly to test processes.
Place a .stdin file next to any test to have its contents automatically piped to the subprocess stdin. The harness also sets the TENZIR_STDIN environment variable with the file path. This is particularly useful for TQL tests where you can start a pipeline with a parser directly:
read_csv
where count > 10
Instead of using .input files with from_file env("TENZIR_INPUT"). Both approaches remain valid—choose whichever fits your test better.
Shell and Python tests can also read from stdin or access TENZIR_STDIN when needed. Custom runners can use get_stdin_content(env) to read the file contents and pass them via the stdin_data parameter to run_subprocess().
Jan 27, 2026 · @mavam, @claude
When listing projects in the execution plan, satellite projects now display their path relative to the root project instead of just their directory name. This makes satellite projects with identical directory names distinguishable. Additionally, project markers have been refined: root projects use a filled marker (● for packages, ■ for regular projects), while satellite projects use an empty marker (○ for packages, □ for regular projects).
]]>where, replace, and if operators, along with Kafka decompression support and a new raw_message option for the read_syslog operator.
Jan 27, 2026 · @mavam, @claude · #5687
The read_syslog operator now supports a raw_message parameter that preserves the original, unparsed syslog message in a field of your choice. This is useful when you need to retain the exact input for auditing, debugging, or compliance purposes.
When you specify raw_message=<field>, the operator stores the complete input message (including all lines for multiline messages) in the specified field. This works with all syslog formats, including RFC 5424, RFC 3164, and octet-counted messages.
For example:
read_syslog raw_message=original_input
This stores the unparsed message in the original_input field alongside the parsed structured fields like hostname, app_name, message, and others.
Jan 30, 2026 · @jachris · #5701
The condition of if statements is no longer erroneously evaluated early when
it contains a lambda expression that references runtime fields.
Jan 30, 2026 · @raxyte, @claude · #5697
Kafka connectors now support decompressing messages with zstd, lz4 and gzip.
Jan 29, 2026 · @jachris, @claude · #5698
The JSON parser no longer intermittently fails with "The input is not valid UTF-8" when parsing data containing multi-byte UTF-8 characters such as accented letters or emojis.
Jan 29, 2026 · @mavam, @claude · #5696
The replace operator no longer triggers an assertion failure when using
with=null on data processed by operators like ocsf::cast.
load_file "dns.json"
read_json
ocsf::cast "dns_activity"
replace what="", with=null
Jan 28, 2026 · @jachris, @claude
The where operator optimization now correctly handles optional fields marked with ?. Previously, the optimizer didn't account for the optional marker, which could result in incorrect query optimization. This fix ensures that optional field accesses are handled properly without affecting the optimization of regular field accesses.
Jan 22, 2026 · @tobim, @claude · #5605
The summarize operator now supports periodic emission of aggregation results at fixed intervals, enabling real-time streaming analytics and monitoring use cases.
Use the options named argument with frequency to emit results every N seconds:
summarize count(this), src_ip, options={frequency: 5s}
This emits aggregation results every 5 seconds, showing the count per source IP for events received during each interval:
{src_ip: 192.168.1.1, count: 42}
{src_ip: 192.168.1.2, count: 17}
// ... 5 seconds later ...
{src_ip: 192.168.1.1, count: 38}
{src_ip: 192.168.1.3, count: 9}
The mode parameter controls how aggregations behave across emissions:
Reset mode (default) resets aggregations after each emission, providing per-interval metrics:
summarize sum(bytes), options={frequency: 10s}
// Shows bytes per 10-second window
Cumulative mode accumulates values across emissions, providing running totals:
summarize sum(bytes), options={frequency: 10s, mode: "cumulative"}
// Shows total bytes seen so far
Update mode emits only when values change from the previous emission, reducing output noise in monitoring scenarios:
summarize count(this), severity, options={frequency: 1s, mode: "update"}
// Emits only when the count for a severity level changes
The operator always emits final results when the input stream ends, ensuring no data is lost.
Jan 21, 2026 · @tobim, @claude · #5675
The load_sqs, save_sqs, from_s3, to_s3, from_kafka, and to_kafka operators now support AWS IAM authentication through a new aws_iam option. You can configure explicit credentials, assume IAM roles, use AWS CLI profiles, or rely on the default credential chain.
The aws_iam option accepts these fields:
profile: AWS CLI profile name for credential resolutionaccess_key_id: AWS access key IDsecret_access_key: AWS secret access keysession_token: AWS session token for temporary credentialsassume_role: IAM role ARN to assumesession_name: Session name for role assumptionexternal_id: External ID for role assumptionAdditionally, the SQS and Kafka operators accept a top-level aws_region option:
load_sqs and save_sqs: Configures the AWS SDK client region for queue URL resolutionfrom_kafka and to_kafka: Required for MSK authentication (used to construct the authentication endpoint URL)You can also combine explicit credentials with role assumption. This uses the provided credentials to call STS AssumeRole and obtain temporary credentials for the assumed role:
load_sqs "my-queue", aws_iam={
access_key_id: "AKIAIOSFODNN7EXAMPLE",
secret_access_key: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
assume_role: "arn:aws:iam::123456789012:role/my-role"
}
For example, to load from SQS with a specific region:
load_sqs "my-queue", aws_region="us-east-1", aws_iam={
access_key_id: "AKIAIOSFODNN7EXAMPLE",
secret_access_key: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
}
To use an AWS CLI profile:
load_sqs "my-queue", aws_iam={
profile: "production"
}
To assume an IAM role:
from_s3 "s3://bucket/path", aws_iam={
assume_role: "arn:aws:iam::123456789012:role/my-role",
session_name: "tenzir-session",
external_id: "unique-id"
}
For Kafka MSK authentication, the aws_region option is required:
from_kafka "my-topic", aws_region="us-east-1", aws_iam={
profile: "production"
}
When no explicit credentials or profile are configured, operators use the AWS SDK's default credential provider chain, which checks environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY), AWS configuration files (~/.aws/credentials), EC2/ECS instance metadata, and other standard sources. This applies both when aws_iam is omitted entirely and when aws_iam is specified without access_key_id, secret_access_key, or profile.
Jan 21, 2026 · @mavam, @claude
The parse_syslog function now supports RFC 6587 octet-counted framing, where syslog messages are prefixed with their byte length (for example, 65 <syslog-message>). This framing is commonly used in TCP-based syslog transport to handle message boundaries.
The new octet_counting parameter for parse_syslog offers three modes:
octet_counting=true: Require a length prefix. Emits a warning and returns null if the input lacks a valid prefix.octet_counting=false: Never strip a length prefix. Parse the input as-is.Jan 12, 2026 · @IyeOnline · #5646
We have added support for per-actor/per-thread allocation tracking. When enabled, these stats will track which actor (or thread) allocated how much memory. This gives much more detailed insights into where memory is allocated. By default these detailed statistics are not collected, as they introduce a cost to every allocation.
Jan 20, 2026 · @mavam, @claude · #5673
The ocsf::derive operator now preserves original field order instead of
reordering alphabetically. Derived enum/sibling pairs are inserted at the
position of the first field, ordered alphabetically within each pair (e.g.,
activity_id before activity_name). Non-OCSF fields remain at their original
positions.
For example, given the input:
{foo: 1, class_uid: 1001}
The output is now:
{foo: 1, class_name: "...", class_uid: 1001}
Previously, the output was alphabetically sorted:
{class_name: "...", class_uid: 1001, foo: 1}
Jan 19, 2026 · @jachris · #5670
The from_s3 and from_azure_blob_storage operators now also delete existing
directory marker objects along the glob path when remove=true. Directory
markers are zero-byte objects with keys ending in / that some cloud storage
tools create. These artifacts can accumulate over time, increasing API costs and
slowing down listing operations.
Jan 23, 2026 · @raxyte · #5677
The from_http server now has a stable memory usage when used with a slow
downstream, especially in situations where the client timeouts and retries
requests.
Jan 22, 2026 · @jachris, @claude · #5680
In rare cases, a phantom pipeline with an empty ID could appear in the pipeline list that couldn't be deleted through the API.
Jan 12, 2026 · @raxyte, @codex · #5654
The from_kafka operator now commits offsets per partition and tracks partition
EOFs based on the current assignment, preventing premature exits and
cross-partition replays after restarts.
Deleting files from S3 or Azure Blob Storage via from_s3 or
from_azure_blob_storage with the remove=true option no longer creates empty
directory marker objects in the parent directory when the last file of the
directory is deleted.
--debug flag automatically enable verbose output, so you see all test results when diagnosing failures.
Jan 26, 2026 · @mavam, @claude · #9
The --debug flag (or TENZIR_TEST_DEBUG=1 environment variable) now automatically enables verbose output. When debugging test failures, you now see all test results (pass/skip/fail) instead of only failures, making it easier to diagnose issues. This provides more context without requiring users to pass both --debug and --verbose flags separately.
Jan 22, 2026 · @lava
The platform frontend now supports configurable response headers and Content Security Policy (CSP) for standalone deployments.
Set TENZIR_PLATFORM_UI_ENABLE_RESPONSE_HEADERS_DEFAULT=true to enable default security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Cross-Origin-Opener-Policy, Cross-Origin-Resource-Policy). Use TENZIR_PLATFORM_UI_RESPONSE_HEADERS_DEFAULT with a JSON object to override with custom headers.
Set TENZIR_PLATFORM_UI_ENABLE_RESPONSE_HEADERS_HSTS=true to enable HTTP Strict Transport Security for HTTPS deployments.
Set TENZIR_PLATFORM_UI_ENABLE_RESPONSE_HEADERS_CSP=true to enable Content Security Policy, which helps prevent XSS and other injection attacks.
Jan 21, 2026 · @gitryder · #19
We improved how pipeline details load, making the view faster than before when navigating between pipelines. We also added a close button next to the overflow menu on the right so you can quickly exit a pipeline while browsing pipeline details.
Jan 20, 2026 · @lava
Authentication tokens (idToken and userKey) are now stored in the server-side session database instead of browser cookies. This improves security by keeping sensitive tokens accessible only via the session cookie identifier, preventing direct client-side access to authentication credentials.
Jan 19, 2026 · @lava
The seaweed S3 storage component now supports an optional Caddy reverse proxy that improves S3 error handling. Set TENZIR_ENABLE_CADDY=true to enable it. The reverse proxy intercepts 404 responses and returns proper S3-style error messages.
Jan 21, 2026 · @gitryder · #37
We now hide technical error details in error messages. You can click "Show error details" to expand them anytime, and use the copy button to share with support.
Jan 26, 2026 · @lava
Fixed a potential infinite hang in the Tenzir UI that could be triggered by a rare race condition where the Tenzir Node returned duplicate pipeline ids.
Jan 21, 2026 · @gitryder · #19
We fixed an issue where deleting a pipeline could cause the interface to become unresponsive.
]]>