# Tenzir Node v5.15.0 This release enhances TQL鈥檚 data transformation capabilities with lambda expressions that can capture surrounding fields in `map` and `where` functions, plus grouped enumeration for separate event counting. We鈥檝e also improved operator composability with enhanced `to_splunk` parameters, added octet counting support for syslog messages, and fixed critical issues in Kafka message handling and HTTP request processing. ## 馃殌 Features ### Improve `to_splunk` composability Sep 18, 2025 路 [@IyeOnline](https://github.com/IyeOnline) 路 [#5478](https://github.com/tenzir/tenzir/pull/5478) We have improved the composability of the `to_splunk` operator. The `host` and `source` parameters now accept a `string`-expression instead of only a constant. Further, there is a new `event` parameter that can be used to specify what should be send as the event to the Splunk HTTP Event Collector. The combination of these options improves the composability of the operator, allowing you to set event-specific Splunk parameters, while not also transmitting them as part of the actual event: ```tql from { host: "my-host", a: 42, b: 0 } // move the entire event into `event` this = { event: this } // hoist the splunk specific field back out move host = event.host to_splunk "https://localhost:8088", hec_token=secret("splunk-hec-token"), host=host, event=event ``` ### Flag for preventing automatic pipeline starts Sep 16, 2025 路 [@jachris](https://github.com/jachris) 路 [#5470](https://github.com/tenzir/tenzir/pull/5470) When the node starts, pipelines that were previously running are immediately started. The new `--no-autostart` flag can be used to disable this behavior. ### Octet Counting in `read_syslog` Sep 16, 2025 路 [@IyeOnline](https://github.com/IyeOnline) 路 [#5472](https://github.com/tenzir/tenzir/pull/5472) We have added a new option `octet_counting` to the `read_syslog` operator. Enabling this option will determine messages boundaries according to [RFC6587](https://datatracker.ietf.org/doc/html/rfc6587#section-3.4.1) instead of our heuristic. ### Grouped enumeration Sep 16, 2025 路 [@raxyte](https://github.com/raxyte) 路 [#5475](https://github.com/tenzir/tenzir/pull/5475) The `enumerate` operator now supports a `group` option to enumerate events separately based on a value. For example, to have a field act as a counter for a value, use the following pipeline: ```tql from {x: 1}, {x: 2}, {x: "1"}, {x: 2} enumerate count, group=x count = count + 1 ``` ```tql { count: 1, x: 1, } { count: 1, x: 2, } { count: 1, x: "1", } { count: 2, x: 2, } ``` ### Lambdas in `map` and `where` can capture surrounding fields Sep 16, 2025 路 [@raxyte](https://github.com/raxyte) 路 [#5457](https://github.com/tenzir/tenzir/pull/5457) Lambda expressions in the `map` and `where` functions can now capture and access fields from the surrounding context, enabling more powerful data transformations. For example: ```tql from { host: "server1", ports: [80, 443, 8080] } ports = ports.map(p => {host: host, port: p}) ``` ```tql { host: "server1", ports: [ { host: "server1", port: 80, }, { host: "server1", port: 443, }, { host: "server1", port: 8080, }, ], } ``` ## 馃敡 Changes ### Dedicated Syslog Schema Names Sep 16, 2025 路 [@IyeOnline](https://github.com/IyeOnline) 路 [#5472](https://github.com/tenzir/tenzir/pull/5472) The `read_syslog` operator now produces dedicated schemas `syslog.rfc5425`, `syslog.rfc3164` and `syslog.unknown` instead of an unspecific `tenzir.syslog`. ### Keep zeek TSV logs as-is in `read_zeek_tsv` Sep 16, 2025 路 [@tobim](https://github.com/tobim) 路 [#5461](https://github.com/tenzir/tenzir/pull/5461) Parsing Zeek TSV logs no longer attempts to cast the parsed events to a shipped Zeek schema. ## 馃悶 Bug Fixes ### Fixed `to_kafka` crash Sep 18, 2025 路 [@IyeOnline](https://github.com/IyeOnline) 路 [#5465](https://github.com/tenzir/tenzir/pull/5465) The recently released `to_kafka` operator would fail with an internal error when used without specifying the `message` argument. The operator now works as expected, sending the entire event if the argument is not specified. ### Explicit Commits in `load_kafka` Sep 18, 2025 路 [@IyeOnline](https://github.com/IyeOnline) 路 [#5465](https://github.com/tenzir/tenzir/pull/5465) The `load_kafka` operator now explicitly commits messages it has consumed. By default, it will commit every 1000 messages or every 10 seconds, with the behavior being customizable via two new operator arguments. Previously, the operator would commit every message asynchronously loaded by the backing library automatically, which may have included messages that were never accepted by the pipeline. ### `http` operator stalling Sep 18, 2025 路 [@raxyte](https://github.com/raxyte) 路 [#5479](https://github.com/tenzir/tenzir/pull/5479) The `http` operator now correctly handles its internal waiting state, fixing an intermittent issue where HTTP requests could hang unexpectedly. ### Improved Syslog Output Schema Sep 16, 2025 路 [@IyeOnline](https://github.com/IyeOnline) 路 [#5472](https://github.com/tenzir/tenzir/pull/5472) We have improved our `read_syslog` operator and `parse_syslog` function. They no longer re-order fields if the syslog format changes mid-stream and produce correctly typed null values for the special `-` value. [ Download on GitHub ](https://github.com/tenzir/tenzir/releases/tag/v5.15.0) [Get the release artifacts and source code.](https://github.com/tenzir/tenzir/releases/tag/v5.15.0)