flow_id that mix signed and unsigned values no longer cause unnecessary table-slice splits. It also extends ocsf::derive to handle list-valued enum fields for full bidirectional OCSF enum normalization.
Apr 30, 2026 · @jachris, @mavam, @codex · #5354
ocsf::derive now derives OCSF enum sibling fields for lists, not just scalar enum fields. For example, DNS answers with flag_ids: [1, 3, 4] now also get flags: ["Authoritative Answer", "Recursion Desired", "Recursion Available"], and the reverse direction works for flags to flag_ids as well.
May 5, 2026 · @IyeOnline, @claude
Parsing data that mixes int64 and uint64 values in the same field no longer
produces unnecessary table-slice splits, improving batching performance. Fields
like flow_id that are always non-negative but occasionally exceed the signed
integer limit of 2^63 − 1 are now merged into a single uint64 column where
possible, instead of being emitted as separate slices.
May 6, 2026 · @mavam, @codex · #6128
Empty if branches no longer crash when running pipelines with the new executor. For example, if false {} now behaves like an empty pass-through branch instead of triggering an internal assertion failure.
Configured startup pipelines can now reference operators from static packages reliably. Previously, such pipelines could fail during node startup with module <package> not found, even though the same package operator worked when run manually after startup.
May 2, 2026 · @mavam, @codex · #6108
Package UDOs now load correctly when a typed string default looks like a TQL pattern, such as default: "/tmp-data/".
Previously, loading such a package could abort with an unexpected internal error before any pipeline ran.
]]>May 5, 2026 · @mavam, @codex · #40
Hook diagnostics emitted with --debug now use the same formatting as the rest of the harness debug trace. Previously, hook invocation messages used ad-hoc debug: lines, which made debug output inconsistent.
May 4, 2026 · @mavam, @codex · #23
The validate command now reports unknown changelog entry metadata keys instead of silently accepting them. This catches misspelled fields such as co-authors early, before they are ignored by release workflows.
Apr 29, 2026 · @mavam, @codex · #6098
ClickHouse connection errors caused by TLS/plaintext mismatches now include the TLS notes and hint again. This helps identify when to_clickhouse is using TLS against a plaintext ClickHouse endpoint and suggests setting tls=false when appropriate.
Apr 28, 2026 · @tobim, @codex · #6086
Default retention policies now continue deleting metrics and diagnostics as their timestamps age into the retention window, even when older and newer events share a partition.
Previously, a partition that still contained newer events after retention could be skipped by later retention runs, leaving those events behind after they expired.
]]>Tenzir can now consume from and publish to NATS JetStream subjects with
from_nats and to_nats.
Use from_nats to receive one event per message. The raw payload appears in the
message blob field, and metadata_field attaches NATS metadata:
from_nats "alerts", metadata_field=nats
parsed = string(message).parse_json()
Use to_nats to publish one message per event. By default, the operator
serializes the whole event with this.print_ndjson():
from {severity: "high", alert_type: "suspicious-login"}
to_nats "alerts"
Both operators support configurable connection settings, authentication, and
the standard Tenzir tls record.
Apr 27, 2026 · @tobim, @codex · #6082
Static musl builds of tenzir no longer crash on deeply nested generated TQL
expressions.
This affected generated pipelines with deeply nested expressions, for example rules or transformations that expand into long left-associated operator chains.
The tenzir binary now links with a larger default thread stack size on musl,
which brings its behavior in line with non-static builds for these pipelines.
Apr 29, 2026 · @mavam, @codex · #39
Suite-level requires.operators checks now apply consistently to every test runner. Mixed suites that combine TQL, shell, Python, or custom tests no longer depend on the first runner type to decide whether required Tenzir operators are available.
Apr 29, 2026 · @mavam, @codex · #38
Suite-scoped fixture setup and teardown failures now appear as regular test failures instead of aborting the entire run with a Python traceback.
This lets the harness continue with independent queued tests after a fixture assertion or cleanup error.
]]>Apr 27, 2026 · @mavam, @codex · #36
Projects can now register Python hooks that run at stable tenzir-test lifecycle points, including before settings discovery:
from tenzir_test import hooks
@hooks.startup
def use_local_build(ctx):
ctx.path.insert(0, str(ctx.root / "build" / "bin"))
ctx.env["TENZIR_BINARY"] = str(ctx.root / "build" / "bin" / "tenzir")
ctx.env["TENZIR_NODE_BINARY"] = str(ctx.root / "build" / "bin" / "tenzir-node")
This makes it possible to select local Tenzir binaries, prepare project-scoped environment variables, and collect diagnostics for failed tests without wrapping the test command in custom shell scripts. Use --no-hooks or TENZIR_TEST_DISABLE_HOOKS=1 to bypass hooks when debugging.
The from_http operator now supports paginate="odata" for
OData collection
responses such as Microsoft Graph:
from_http "https://graph.microsoft.com/v1.0/users",
headers={"ConsistencyLevel": "eventual"},
paginate="odata" {
read_json
}
This mode emits the objects from the response body's top-level value array
and follows top-level @odata.nextLink URLs until no next link is present. The
next link can be absolute or relative to the current response URL.
Apr 24, 2026 · @mavam, @codex · #6081
The to_sentinelone_data_lake operator now works in pipelines that run on the new executor. Previously, using it there failed before the pipeline could send events.
from {message: "hello"}
to_sentinelone_data_lake "https://example.com", token="TOKEN"
The subnet function now accepts typed IP addresses, plain IP strings, and
existing subnet values with an optional prefix length:
from {source_ip: 10.10.1.124}
net = subnet(source_ip, 24)
This returns 10.10.1.0/24 without converting the IP address to a string first.
When you omit the prefix, IPv4 addresses become /32 host subnets and IPv6
addresses become /128 host subnets.
The unroll operator no longer crashes when expanding very large lists into output that exceeds Arrow's per-array capacity.
The files operator now skips unreadable child directories during recursive traversal, emits a warning for each skipped directory by default, and continues listing accessible siblings. Set skip_permission_denied=true to ignore permission-denied paths silently: this suppresses warnings for skipped child directories and still makes an unreadable initial directory produce no events instead of an error. Non-permission filesystem errors continue to fail the pipeline.
Apr 23, 2026 · @IyeOnline
We fixed an issue in the context::enrich operator that did cause unbounded
memory growth.
Apr 23, 2026 · @tobim, @codex · #6068
Tenzir no longer segfaults on some very deep left-associated boolean
expressions in where clauses due to source-location handling.
Both list and record indexing in TQL now work with signed and unsigned integer indices.
This also applies to record field-position indexing and to the get function for records and lists.
Apr 22, 2026 · @mavam, @codex · #35
The test harness now honors skip: {on: fixture-unavailable} for fixtures that are selected by individual tests:
skip:
on: fixture-unavailable
fixtures:
- optional-service
This lets parameterized per-test fixtures skip only the tests that need the unavailable service. Suite fixtures still require the opt-in in directory-level test.yaml, so one test's frontmatter cannot control the whole suite.
Apr 20, 2026 · @tobim, @codex · #6059
Partition rebuilds now finish after persisting rebuilt partitions. Previously, rebuild jobs could remain stuck indefinitely even though the replacement partitions were written successfully.
The summarize operator now starts frequency-based emission with the first
input event and emits overdue periodic results before later events are
aggregated. This makes periodic output deterministic in reset,
cumulative, and update modes for delayed or sparse streams.
For example:
from {ts: 0ms.from_epoch(), x: 1},
{ts: 90ms.from_epoch(), x: 1},
{ts: 360ms.from_epoch(), x: 1}
delay ts
summarize count=count(), options={frequency: 300ms, mode: "cumulative"}
The first periodic result now consistently reports a count of 2 before the
third event arrives.
Apr 21, 2026 · @lava, @gitryder
Workspace management has been enhanced with new capabilities for administrators. You can now rename workspaces directly from the workspace settings, and the Users tab now provides a unified interface for managing workspace access. Administrators can view all users with access to a workspace in a single table and easily change user roles between member and admin roles using dropdown controls.
Apr 21, 2026 · @lava, @gitryder
The Tenzir Platform now supports organizations, giving teams a shared home for collaborating across workspaces. Organization admins can invite members, assign admin or member roles, and manage which workspaces belong to the organization. Members get access to all workspaces owned by the organization and can leave from their user settings at any time.
Learn more in the organization management guide.
]]>Apr 16, 2026 · @tobim, @codex · #6039
Tenzir nodes now honor standard HTTP proxy environment variables when connecting to Tenzir Platform:
HTTPS_PROXY=http://proxy.example:3128 tenzir-node
Use NO_PROXY to bypass the proxy for selected hosts. This helps deployments where outbound connections to the Platform websocket gateway must go through an HTTP proxy.
Apr 15, 2026 · @lava
We added a new operator to accept data from incoming HTTP connections.
The server option of the from_http operator is now deprecated.
Going forward, it should only be used for client-mode HTTP operations,
and the new accept_http operator should be used for server-mode
operations.
Apr 16, 2026 · @mavam, @codex · #6022
The hash_* functions now hash blob values by their raw bytes. This makes checksums computed from binary data match external tools such as md5sum and sha256sum.
For example:
from_file "trace.pcap" {
read_all binary=true
}
md5 = data.hash_md5()
This is useful for verifying file contents and round-tripping binary formats without leaving TQL.
]]>100% passed and 0% failed.
The final aggregate summary now reports non-perfect pass and fail percentages whenever at least one executed test fails. Previously, rounding could show 100% passed and 0% failed for runs with a small number of failures, even though the overall result was not a full success.
For example, a run like 586 passed / 1 failed / 152 skipped now renders the executed-test percentages as 99% passed and 1% failed. This makes mixed outcomes easier to spot at a glance in the CLI output.
The reusable release workflow no longer emits the Node 20 deprecation warning when it generates GitHub App tokens on GitHub-hosted runners.
Repositories that call tenzir/ship/.github/workflows/release.yaml now get clean release logs without extra configuration.
v-prefixed tags. It keeps release publishing, local development, and CI installs on maintained versions without changing normal tenzir-ship usage.
The repository's locked Python dependencies now use patched upstream releases, including fixes for the open security advisories reported by Dependabot.
This refresh keeps local development and CI installs on maintained versions without changing normal tenzir-ship usage.
The release publish --commit workflow now uses the tag-form version in generated release commits and annotated tag messages.
For example, publishing v1.1.0 now creates Release v1.1.0 instead of Release 1.1.0:
tenzir-ship release publish v1.1.0 --commit --tag --yes
This keeps generated release commits aligned with the corresponding Git tag and avoids mismatches in automation that expects the v-prefixed release identifier.
context::lookup operator, and it adds pipeline names to diagnostics and metrics for easier operational correlation. This release also improves export reliability under load and fixes Azure transport errors, HTTP Host headers for non-standard ports, and rebuilt-partition export correctness.
Apr 1, 2026 · @IyeOnline · #5964
The context::lookup operator enables unified matching of events against contexts
by combining live and retrospective filtering in a single operation.
The operator automatically translates context updates into historical queries while simultaneously filtering all newly ingested data against any context updates.
This provides:
live=trueretro=trueExample usage:
context::lookup "feodo", field=src_ip
where @name == "suricata.flow"
Mar 30, 2026 · @IyeOnline, @claude · #5959
The metrics and diagnostics operators now include a pipeline_name field.
Previously, output from these operators only identified the source pipeline by its ID. Now the human-readable name is available too, making it straightforward to filter or group results by pipeline name without needing to look up IDs separately.
Please keep in mind that pipeline names are not unique.
Apr 8, 2026 · @claude
Bumped Apache Arrow from 23.0.0 to 23.0.1, which includes an upstream fix
for unhandled Azure::Core::Http::TransportException in Arrow's
AzureFileSystem methods. Previously, transport-level errors (e.g., SSL
certificate failures) could crash the node during file listing, reading, or
writing. Additionally, the direct Azure SDK calls in the blob deletion code
paths now catch Azure::Core::RequestFailedException (the common base of
both StorageException and TransportException) instead of listing
specific exception types.
Apr 7, 2026 · @tobim, @codex · #5988
The export operator no longer emits partially populated events from rebuilt partitions when a row is null at the record level. Previously, some events could appear with most fields set to null while a few values, such as event_type or interface fields, were still present.
This makes exports from rebuilt data more reliable when investigating sparse or malformed-looking events.
Mar 31, 2026
The from_http and http operators now include the port in the Host header
when the URL uses a non-standard port. Previously, the port was omitted, which
caused requests to fail with HTTP 403 when the server validates the Host
header against the full authority, such as for pre-signed URL signature
verification.
The export command no longer fails or misses recent events when a node is flushing active partitions to disk under heavy load. Recent exports now keep the in-memory partitions they depend on alive until the snapshot completes, which preserves correctness for concurrent import and export workloads.
Apr 7, 2026 · @gitryder
We added thousands separators to numeric values in the pipeline Insights tab, making large numbers easier to read at a glance.
Apr 7, 2026 · @gitryder
We fixed an issue where the pipeline table stayed filtered after viewing a pipeline's detail page and navigating away to another tab. Returning to the Pipelines page would show only the previously viewed pipeline, and clearing the search had no effect.
]]>The reusable GitHub Actions release workflow now works in external repositories by default. It falls back to the caller repository's GITHUB_TOKEN, makes GitHub App authentication optional, and only enables GPG signing when a caller provides a signing key and opts into commit and/or tag signing. The single release.yaml workflow now also exposes the advanced hooks and release controls directly, including skip-publish for dry runs and smoke tests. Tenzir repositories can still opt into the existing bot identity, GitHub App token flow, and signed commits and tags by passing those settings explicitly.
Mar 27, 2026 · @gitryder
You can now choose which fields are visible in the Explorer's table view. When you select a schema in the sidebar, its fields are listed below. Click a field to hide its column from the table. Shift+click a field to show only that field. A "fields hidden" indicator in the table header lets you clear all hidden fields at once. Field selections are remembered per schema and reset when you run a new pipeline.
Mar 26, 2026 · @gitryder
You can now filter events in the Stream view by clicking schemas in the sidebar. The schemas panel shows color-coded dots matching each schema's badge color, and selecting one or more schemas limits the view to only those events. Same-name schema variants are merged into a single entry in the sidebar for easier navigation.
Mar 26, 2026 · @gitryder
We added a new Stream view to the Explorer that shows all pipeline results as a continuous list of expandable events. You can switch between the Table, Chart, and Stream views using the view selector in the toolbar. The Stream view displays events from all schemas together, with color-coded badges to distinguish between them. Each row shows a one-line preview that you can expand to inspect the full event. The view remembers your selection across pipeline runs, and the event list scrolls horizontally as a whole, with schema badges staying pinned on the left.
Mar 13, 2026 · @gitryder
You can now sort the Explorer table by clicking column headers. Sortable columns show a sort indicator, and clicking cycles through ascending, descending, and unsorted states. Sorting works for both top-level and nested fields.
Mar 12, 2026 · @gitryder
You can now click on field names and values in the Explorer inspector to copy them to the clipboard. Field names copy the full dot-separated path, and values copy their TQL representation.
Mar 12, 2026 · @gitryder
You can now select a time range directly from the Explorer header. Choose from quick presets like 5 minutes or 12 hours, or open the custom popover to pick from a grid of relative durations or set an absolute date range. The selector is currently available for pipelines that start with the export operator.
Mar 12, 2026 · @gitryder
We combined the 'About' and 'Install' tabs in the package detail drawer into a single scrollable view. Package information, examples, and configuration options are now shown on one page instead of requiring tab switches.
Mar 24, 2026 · @gitryder
We fixed an issue where custom packages installed on a node were not visible in the library view. Previously, only packages from the official Tenzir library were shown. Custom packages are now included alongside library packages.
Mar 24, 2026 · @gitryder
We fixed a bug where operator description text on the package detail page appeared rotated 90 degrees, overlapping other content.
Mar 17, 2026 · @gitryder
Packages containing user-defined operators can again be installed through the platform. Previously, installing such packages failed because the operator arguments were serialized incorrectly. This only affected installs through the platform UI—command-line package installs were not impacted.
]]>Feb 4, 2026 · @tobim, @codex · #5703
AWS operators now support OIDC-based authentication via the AssumeRoleWithWebIdentity API.
You can authenticate with AWS resources using OpenID Connect tokens from external identity providers like Azure, Google Cloud, or custom endpoints. This enables secure cross-cloud authentication without sharing long-lived AWS credentials.
Configure web identity authentication in any AWS operator by specifying a token source and target role:
from_s3 "s3://bucket/path", aws_iam={
region: "us-east-1",
assume_role: "arn:aws:iam::123456789012:role/cross-cloud-role",
web_identity: {
token_file: "/path/to/oidc/token"
}
}
The web_identity option accepts three token sources: token_file (path to a token file), token_endpoint (HTTP endpoint that returns a token), or token (direct token value). For HTTP endpoints, you can extract tokens from JSON responses using path.
Credentials automatically refresh before expiration, with exponential backoff retry logic for transient failures. This is especially useful for long-running pipelines that need persistent authentication.
Mar 30, 2026 · @jachris · #5954
Pipelines that use and, or, or if-else expressions run significantly faster in certain cases — up to 30× in our benchmarks. The improvement is most noticeable in pipelines with complex filtering or branching logic. No pipeline changes are needed to benefit.
Mar 23, 2026 · @mavam, @codex · #5939
The ocsf::derive operator now supports OCSF 1.8.0 events.
For example, you can now derive enum and sibling fields for events that declare
metadata.version: "1.8.0":
from {metadata: {version: "1.8.0"}, class_uid: 1007}
ocsf::derive
This keeps OCSF normalization pipelines working when producers emit 1.8.0
events.
Platform configuration validation now provides clearer error messages when an invalid configuration is encountered, helping you quickly diagnose and fix configuration issues.
Setting TENZIR_ENDPOINT to an unresolvable hostname no longer crashes the pipeline with a segfault.
Mar 25, 2026 · @mavam, @claude · #5949
ocsf::derive no longer emits a false warning when an _id field is set
to 99 (Other) and the sibling string contains a source-specific value.
Per the OCSF specification, 99/Other is an explicit escape hatch: the
integer signals that the value is not in the schema's enumeration and the
companion string must hold the raw value from the data source. For
example, the following is now accepted silently:
from {
metadata: { version: "1.7.0" },
type_uid: 300201,
class_uid: 3002,
auth_protocol_id: 99,
auth_protocol: "Negotiate",
}
ocsf::derive
Previously this produced a spurious warning: found invalid value for 'auth_protocol' because "Negotiate" is not a named enum caption.
Mar 24, 2026 · @lava
The Azure Blob Storage connector now handles Azure::Core::Http::TransportException
(e.g., SSL certificate errors) gracefully instead of crashing. Previously, a
self-signed certificate in the certificate chain would cause an unhandled
exception and terminate the node.
Mar 20, 2026 · @mavam, @codex · #20
This fixes the release candidate workflow so RCs no longer remain in changelog history after they have been superseded. Creating a new -rc.N now replaces the previous RC for that cycle, and creating a stable release closes the RC cycle and removes its RC manifests from releases/.
For example:
# Start an RC cycle for a later stable release.
tenzir-ship release create v1.2.3 --rc --yes
tenzir-ship release create v1.3.0 --yes
# Or promote the active RC to its matching stable release.
tenzir-ship release create v1.2.3 --rc --yes
tenzir-ship release create --yes
After the stable release is created, the RC is no longer kept in release history. Release candidates are also cumulative, so each new RC includes the previous RC's entries plus any newly added unreleased entries, while stable releases remain incremental.
]]>Mar 17, 2026 · @tobim
Feather store files now include a TENZIR:store:origin key in the Arrow table
schema metadata. The value is "ingest" for freshly ingested data, "rebuild"
for partitions created by the rebuild command, and "compaction" for partitions
created by the compaction plugin. This allows external tooling such as pyarrow
to distinguish how a partition was produced.
Mar 11, 2026 · @IyeOnline, @codex, @mavam, @raxyte · #5897
The to_clickhouse operator now supports dynamic table names via an expression
table=..., which must evaluate to a string. If the value is not a valid
table name, the events will be dropped with a warning.
With this change, the operator will also create a database if it does not exist.
The prime use-case for this are OCSF event streams:
subscribe "ocsf"
ocsf::cast encode_variants=true, null_fill=true
to_clickhouse table=f"ocsf.{class_name.replace(" ","_")}", ...
You can now install Tenzir on Apple Silicon macOS via Homebrew:
brew tap tenzir/tenzir
brew install --cask tenzir
You can also install directly without tapping first:
brew install --cask tenzir/tenzir/tenzir
The release workflow keeps the Homebrew cask in sync with the signed macOS package so installs and uninstalls stay current across releases.
The AWS Marketplace ECR repository tenzir-node was incorrectly populated with
the tenzir image. It now correctly ships tenzir-node, which runs a Tenzir
node by default.
If you relied on the previous behavior, you can restore it by setting tenzir
as a custom entrypoint in your ECS task definition.
The bundled Suricata schema now covers the remaining event types listed in the Suricata 8.0.3 EVE JSON format documentation: IKE (IKEv1/IKEv2), HTTP/2, PostgreSQL, and Modbus. This completes Suricata 8 schema coverage for Tenzir.
The read_syslog operator and parse_syslog function now accept RFC 5424 structured-data parameter names longer than 32 characters, which some vendors emit despite the specification limit.
For example, this message now parses successfully instead of being rejected:
<134>1 2026-03-18T11:00:51.194137+01:00 HOSTNAME abc 9043 23003147 [F5@12276 thx_f5_for_ignoring_the_32_char_limit_in_structured_data="thx"] broken example
This improves interoperability with vendor syslog implementations that exceed the RFC limit for structured-data parameter names.
Mar 14, 2026 · @aljazerzen · #5906
The batch timeout was only checked when a new event arrived, so a single event followed by an idle stream would never be emitted. The timeout now fires independently of upstream activity.
Mar 13, 2026 · @jachris · #5901
The parse_winlog function could fragment output into thousands of tiny
batches due to type conflicts in RenderingInfo/Keywords, where events with
one <Keyword> emitted a string but events with multiple emitted a list.
Additionally, EventData with unnamed <Data> elements is now always emitted
as a record with _0, _1, etc. as field names instead of a list.
Mar 12, 2026 · @jachris · #5899
The in operator for list expressions is up to 33x faster. Previously it
created and finalized entire Arrow arrays for every element comparison, causing
severe overhead for expressions like EventID in [5447, 4661, ...].
Additionally, comparing a typed null value with == now returns false instead
of null, and != returns true, fixing a correctness issue with null
handling in equality comparisons.
Mar 12, 2026 · @jachris · #5899
The in operator fast path now correctly prevents comparison of secret values.
Previously, secret_value in [...] would silently compare instead of returning
null with a warning, bypassing the established secret comparison policy.
Mar 12, 2026 · @jachris · #5900
Pattern equality checks now correctly consider the case-insensitive flag. Previously, two patterns that differed only in case sensitivity were treated as equal, violating the hash/equality contract.
Mar 12, 2026 · @jachris · #5899
Splitting Arrow arrays for string and blob types no longer over-reserves memory. Previously both output builders reserved the full input size each, using up to twice the necessary memory.
]]>tenzir-ship now supports release candidates via release create --rc. Creating a release candidate snapshots the current unreleased entries without consuming them, so you can iterate on -rc.N releases before promoting one to the final stable release. The stable base is inferred automatically, and rerunning the command continues the matching RC series when one already exists.
When you are ready to ship the stable release, rerun tenzir-ship release create without --rc and the latest outstanding release candidate becomes the matching stable release automatically. Once an RC series exists, you either continue it with release create --rc or promote the latest candidate with the normal stable command.
Publishing a release candidate now automatically creates a GitHub prerelease and prevents it from being marked as latest. release version and show latest continue to resolve the latest stable release, while release publish without an explicit version now targets the latest release manifest, including RCs. The bundled GitHub Actions release workflows accept rc so you can keep creating RCs from CI, and the default stable workflow promotes the latest outstanding candidate automatically.
Fixed a scheduling issue introduced in v5.24.0 that could cause the node to
become unresponsive when too many pipelines using detached operators like
from_udp were deployed simultaneously.
The bundled Suricata schema now includes types for four previously missing event types: ike, http2, pgsql, and modbus.
The ike type supports both IKEv1 and IKEv2 traffic. Version-specific fields are contained within dedicated ikev1 and ikev2 sub-objects, covering key exchange payloads, nonce payloads, client proposals, vendor IDs, and IKEv2 role/notify information.
The http2 type models HTTP/2 request and response streams including settings frames, header lists, error codes, and stream priority.
The pgsql type covers PostgreSQL session events with full request fields (simple queries, startup parameters, SASL authentication) and response fields (row counts, command completion, parameter status).
The modbus type captures industrial Modbus protocol transactions including function codes, access types, exception responses, diagnostic subfunctions, and MEI encapsulated interface data.
Mar 13, 2026 · @mavam, @codex · #5902
read_syslog and parse_syslog now extract a leading RFC 5424-style
structured-data block from RFC 3164 message content.
This pattern occurs in practice with some VMware ESXi messages, where
components such as Hostd emit a legacy syslog record and prepend structured
metadata before the human-readable message text.
For example, this raw syslog line:
<166>2026-02-11T18:01:45.587Z esxi-01.example.invalid Hostd[2099494]: [Originator@6876 sub=Vimsvc.TaskManager opID=11111111-2222-3333-4444-555555555555] Task Completed
now parses as:
{
facility: 20,
severity: 6,
timestamp: "2026-02-11T18:01:45.587Z",
hostname: "esxi-01.example.invalid",
app_name: "Hostd",
process_id: "2099494",
structured_data: {
"Originator@6876": {
sub: "Vimsvc.TaskManager",
opID: "11111111-2222-3333-4444-555555555555",
},
},
content: "Task Completed",
}
Events without extracted structured data keep the existing syslog.rfc3164
schema. Events with extracted structured data use
syslog.rfc3164.structured.
Mar 10, 2026 · @IyeOnline, @satta · #5888
The bundled Suricata schema now aligns with Suricata 8, enabling proper parsing and representation of events from Suricata 8 deployments.
This update introduces support for new event types including POP3, ARP, and BitTorrent DHT, along with enhancements to existing event types. QUIC events now include ja4 and ja4s fields for fingerprinting, DHCP events include vendor_class_identifier, and TLS certificate timestamps now use the precise time type instead of string representation.
These schema changes ensure that Tenzir can reliably ingest and process telemetry from Suricata 8 without data loss or type mismatches.
Mar 11, 2026 · @jachris · #5893
In some situations, pipelines could not be successfully started, leading to timeouts and a non-responsive node, especially during node start.
Mar 10, 2026 · @IyeOnline, @codex · #5886
Pipelines using chained list transforms such as xs.where(...).map(...).where(...) no longer trigger an internal assertion on sliced input batches.
Mar 9, 2026 · @mavam, @codex · #5877
Invalid Google Cloud credentials in from_google_cloud_pubsub no longer crash the node. Authentication errors now surface as operator diagnostics instead.
Mar 12, 2026 · @lava
We upgraded Python dependencies and added system-level package upgrades to the Docker images to address known vulnerabilities.
Mar 11, 2026 · @realllydan
We fixed an issue where switching away from a pipeline that has the Insights tab available to one that does not could leave the tab selection in an invalid state.
]]>The bundled GitHub Actions workflows now use Node 24-compatible action versions, which keeps CI, release, and publishing automation aligned with GitHub's runtime transition. The release and sync workflows also mint GitHub App installation tokens without relying on a deprecated JavaScript action.
Release commands and the Python API now handle release versions more consistently when changelog data mixes tag-style versions such as v1.2.3 with bare semantic versions such as 1.2.3. This improves compatibility with existing changelog histories and makes release automation more reliable across commands that inspect, create, show, and publish releases.
Skipping a test no longer modifies its baseline file. Previously, running
with --update would overwrite the baseline of a skipped test with an empty
file, and running without --update would fail if the baseline was non-empty.
Skipped tests now leave existing baselines untouched, so toggling a skip
condition no longer causes unrelated baseline churn.
init command scaffolds changelog projects interactively or non-interactively, so you can set up a standalone or package-based project in less time. It also protects existing projects from accidental overwrites.
A new init command allows for scaffolding a new changelog project interactively or with the --yes flag. It supports both standalone and package modes, and prevents accidental overwriting of existing projects.
tenzir-ship init
This reduces the manual effort required to set up a new changelog.
]]>Mar 10, 2026 · @lava
The app container now supports a PRIVATE_WEBSOCKET_GATEWAY_ENDPOINT environment variable that overrides the existing PUBLIC_WEBSOCKET_GATEWAY_ENDPOINT for calls in the app backend. This allows configuring different endpoints when the frontend and backend live in different networks.
Mar 10, 2026 · @realllydan
The pipeline detail modal now includes an experimental Insights tab that visualizes per-operator backpressure, helping users identify bottlenecks in their pipelines. This tab is only available for pipelines running on the experimental new executor.
Mar 10, 2026 · @lava
We fixed an issue where ephemeral nodes were causing the frontend to fail to render or be displayed with incorrect connection status.
]]>Mar 2, 2026 · @mavam, @codex · #5851
parse_syslog() and read_syslog now accept common Check Point structured-data variants that are not strictly RFC 5424 compliant. This includes key:"value" parameters, semicolon-separated parameters, and records that omit an SD-ID entirely.
For records without an SD-ID, Tenzir now normalizes the structured data under checkpoint_2620, so downstream pipelines can use a stable field path.
For example, the message <134>1 ... - [action:"Accept"; conn_direction:"Incoming"] now parses successfully and maps to structured_data.checkpoint_2620. This improves interoperability with Check Point exports and reduces ingestion-time preprocessing.
Mar 6, 2026 · @IyeOnline · #5805
JSON parsing errors now display the surrounding bytes at the error location. This makes it easier to diagnose malformed JSON in your data pipelines.
For example, if your JSON is missing a closing bracket, the error message shows you the bytes around that location and marks where the parser stopped expecting more input.
Mar 4, 2026 · @tobim, @codex · #5865
The load_tcp operator now makes DNS hostname resolution opt-in with the resolve_hostnames parameter (defaults to false).
Previously, the operator always attempted reverse DNS lookups for peer endpoints, which could fail in environments without working reverse DNS configurations. Now you can enable this behavior by setting resolve_hostnames to true:
load_tcp endpoint="0.0.0.0:5555" resolve_hostnames=true {
read_json
}
When enabled and DNS resolution fails, the operator emits a warning diagnostic (once) instead of failing. This allows the operator to continue functioning in environments where reverse DNS is unavailable or unreliable.
Mar 6, 2026 · @IyeOnline · #5805
We improved the reporting for unexpected diagnostics outside of operator execution, such as during startup. In these cases you will now get the diagnostic message.
Mar 6, 2026 · @IyeOnline · #5805
Fixed multiple issues that could cause errors or incorrect behavior when the schema of parsed events changes between records. This is particularly important when ingesting data from sources that may add, remove, or modify fields over time.
Schema mismatch warnings for repeated fields in JSON objects (which Tenzir interprets as lists) now include an explanatory hint, making it clearer what's happening when a field appears multiple times where a single value was expected.
]]>Mar 5, 2026 · @lava
When you click a deep link in Tenzir Platform but aren't logged in, you're now redirected to your original destination after signing in, instead of landing on the home page.
Feb 18, 2026 · @gitryder
We improved how the nodes list loads, making dependent views feel faster and more responsive across the platform.
Feb 27, 2026 · @gitryder
We fixed an issue where profile images from Gravatar and Microsoft accounts were blocked by the content security policy, causing broken or missing avatars.
Feb 27, 2026 · @gitryder
We fixed an issue where the diagnostics pane could show diagnostics from a different pipeline than the one currently open in the detail modal.
Feb 18, 2026 · @gitryder
We fixed an issue where the context list could appear in a random order when no search was active, causing items to jump around. The list now uses a stable alphabetical order so it stays consistent and easier to interact with.
Feb 18, 2026 · @gitryder
We fixed an issue where opening a pipeline link for a workspace you don’t have access to would log you out. You are now redirected to the access page where you can open the link in your default workspace.
]]>Mar 4, 2026 · @mavam, @claude, @codex
We improved clarity and efficacy of the releasing process in the tenzir-ship agent skill.
Mar 2, 2026 · @IyeOnline · #5855
We fixed a bug that could cause a crash when reading JSON data.
Mar 2, 2026 · @jachris · #5841
The CEF parser now handles unescaped = characters (which are not conforming to
the specification) by using a heuristic.
Mar 1, 2026 · @mavam, @claude, @codex · #11
The pi-tenzir-ship package provides a skill for AI coding agents to perform
release engineering tasks. Install it in Pi with:
pi install npm:pi-tenzir-ship
Then activate it with /skill:tenzir-ship.
The skill covers adding changelog entries, cutting standard and module releases, triggering GitHub Actions release workflows, and publishing releases to GitHub.
Feb 28, 2026 · @mavam, @codex · #10
The release creation command now automatically updates version fields in package manifest files during release. When creating a release, tenzir-ship detects and updates package.json, pyproject.toml, project.toml, and Cargo.toml files in your project, including support for dynamic version files in monorepo workspaces.
You can control this behavior with the release.version_bump_mode configuration option in your config.yaml:
auto (default): Automatically detect and update version filesoff: Skip version file updatesFor more granular control, use the release.version_files option to explicitly specify which files to update. Auto-detection searches the project root and parent directory (for nested changelog projects) and gracefully skips files without static version fields.
Release version selection now defaults to automatic bumping when you run
release create without an explicit version and without --patch, --minor,
or --major. The next version is inferred from unreleased entry types:
If no unreleased changelog entries exist, automatic bumping is not available. In that case, provide an explicit version or a manual bump flag to create an intro-only release.
The stats command now reports the computed next release version (or no value
when no automatic bump can be inferred), including in stats --json.
Feb 28, 2026 · @mavam, @codex · #9
Create releases with only introductory text and no changelog entries by using the --intro or --intro-file flags with release create. This is useful when re-publishing a package after yanking a previous artifact or retrying a failed publish workflow—scenarios where you want to create a new release version without adding changelog entries.
Previously, you had to provide at least one changelog entry to create a release. Now the release creation allows you to skip the entries entirely if you supply intro text. The --intro flag accepts text directly, while --intro-file reads from a Markdown file.
reusable-release.yaml now acts as a minimal opinionated wrapper around a new
reusable-release-advanced.yaml workflow.
The advanced workflow adds optional hooks and release controls for complex
consumers: pre/post publish scripts, non-main --no-latest publishing,
optional copy of release directories to main, latest branch updates, a
skip-publish dry-run mode, and workflow outputs for version and
is_latest.
Release commands now validate changelog directory structure before they run and fail fast when it is invalid.
release create and release publish now stop with explicit errors when stray files or directories are detected (for example, an unexpected changelog/next/ directory). Other commands (show, add, stats, and release version) emit warnings so layout problems are visible earlier, while validate reports full structural issues as regular validation errors.
Feb 15, 2026 · @mavam, @claude · #7
When a release step fails, the full command now prints below the progress panel so you can copy-paste it for manual recovery.
Previously, long commands would get truncated in the release progress panel, making it difficult to reproduce the failure manually. Now when a step fails, the complete command is displayed in full below the panel, giving you what you need to debug and retry the operation.
]]>Feb 27, 2026 · @mavam, @codex · #5846
The new experimental hmac function computes Hash-based Message
Authentication Codes (HMAC) for strings and blobs. It supports SHA-256
(default), SHA-512, SHA-384, SHA-1, and MD5 algorithms.
Note: The key parameter is currently a plain string because function
arguments cannot be secrets yet. We plan to change this in the future.
from {
signature: hmac("hello world", "my-secret-key"),
}
{
signature: "90eb182d8396f16d4341d582047f45c0a97d73388c5377d9ced478a2212295ad",
}
Specify a different algorithm with the algorithm parameter:
from {
signature: hmac("hello world", "my-secret-key", algorithm="sha512"),
}
Feb 27, 2026 · @IyeOnline · #5842
We fixed a bug that would cause an assertion failure "Index error: array slice would exceed array length". This was introduced as part of an optimization in Tenzir Node v5.27.0.
]]>Parallel suites are now scheduled more reliably when running with --jobs > 1, so interdependent tests (for example publisher/subscriber pairs) start together sooner instead of being delayed behind large backlogs of unrelated tests.
This update also adds an explicit correctness guard for parallel suites: you can set suite.min_jobs in test.yaml to declare the minimum job count required for valid execution. The run now fails fast if --jobs is lower than suite.min_jobs, and it also fails hard when a parallel suite cannot reserve at least min_jobs workers at runtime (for example under slot contention), instead of proceeding under-provisioned.
In addition, the harness now warns when a parallel suite has more tests than available jobs, making it easier to spot cases where effective suite parallelism is capped by worker count.
]]>Feb 24, 2026 · @lava
Fixed in issue where the platform plugin did not correctly use the
configured certfile, keyfile and cafile options for client
certificate authentication, and improved the error messages for TLS
issues during platform connection.
Feb 25, 2026 · @mavam, @codex · #32
Python fixture tests could fail with serialization errors when the test
configuration included enum values like mode: sequential in test.yaml.
These values are now properly converted to strings before being passed to
test scripts.
Feb 24, 2026 · @mavam, @codex · #29
Test suites can now execute their members in parallel by specifying mode: parallel in the suite configuration. By default, suites continue to run tests sequentially for stability and predictability.
To enable parallel execution, set mode: parallel in the test.yaml file alongside the suite configuration:
suite:
name: my-suite
mode: parallel
fixtures:
- node
Parallel suite execution is useful when tests within a suite are independent and can safely run concurrently. All suite members share the same fixtures and execute within the same fixture lifecycle, while test execution itself happens on separate threads. The suite thread pool is bounded by --jobs, so suite-level concurrency stays within the configured worker budget and does not scale unbounded with suite size.
Suite-level constraints like timeouts, fixture requirements, and capability checks still apply uniformly across all members, whether running sequentially or in parallel.
Feb 25, 2026 · @mavam, @codex · #31
Interrupting test runs with Ctrl+C now exits cleanly without leaking Python tracebacks from subprocess or fixture startup/teardown paths. Interrupt-shaped errors (including nested causes with signal-style return codes such as 130) are treated as graceful cancellation so the CLI reports interrupted tests instead of crashing.
Feb 24, 2026 · @mavam, @codex · #30
Shell test files (.sh) now always default to the "shell" runner, even when a directory-level test.yaml file specifies a different runner (for example, runner: tenzir). This makes shell scripts work reliably in mixed-runner directories without requiring explicit runner: frontmatter in each file. Explicit runner: declarations in test file frontmatter still take precedence and can override this behavior if needed.
Manual fixture control now behaves consistently for fixtures that declare dataclass options.
Previously, starting a fixture with acquire_fixture(...) could fail when no
explicit options were provided, even if the fixture defined defaults.
With this fix, current_options(...) returns default typed options in the
manual fixture-control path, so fixtures started manually and fixtures started
through normal test activation behave the same way.
Feb 22, 2026 · @mavam, @codex · #5819
The slice function now supports list types in addition to string. You can slice lists using the same begin, end, and stride parameters. Negative stride values are now supported for lists, letting you reverse or step backward through list data. String slicing continues to require a positive stride.
Example usage with lists:
[1, 2, 3, 4, 5].slice(begin=1, end=4) returns [2, 3, 4][1, 2, 3, 4, 5].slice(stride=-1) returns the list in reverse order[1, 2, 3, 4, 5].slice(begin=1, end=5, stride=-2) returns [5, 3]Feb 17, 2026 · @mavam, @codex · #5767
The sort function now supports two new parameters: desc for controlling
sort direction and cmp for custom comparison logic via binary lambdas.
Sort in descending order:
from {xs: [3, 1, 2]}
select ys = sort(xs, desc=true)
{ys: [3, 2, 1]}
Sort records by a specific field using a custom comparator:
from {xs: [{v: 2, id: "b"}, {v: 1, id: "a"}, {v: 2, id: "c"}]}
select ys = sort(xs, cmp=(left, right) => left.v < right.v)
{
ys: [
{v: 1, id: "a"},
{v: 2, id: "b"},
{v: 2, id: "c"},
],
}
The cmp lambda receives two elements and returns a boolean indicating whether
the first element should come before the second. Both parameters can be combined
to reverse a custom comparison.
Feb 17, 2026 · @tobim
The read_lines operator was accidently broken while it was ported
to the new execution API. This change restores its functionality.
HTTP header values containing colons are now parsed correctly.
]]>