# Tenzir Node v5.29.2 This patch release fixes several correctness and performance issues across parsing, querying, and storage, and completes Suricata 8 schema coverage. ## 馃殌 Features ### Add store origin metadata to feather files Mar 17, 2026 路 [@tobim](https://github.com/tobim) Feather store files now include a `TENZIR:store:origin` key in the Arrow table schema metadata. The value is `"ingest"` for freshly ingested data, `"rebuild"` for partitions created by the rebuild command, and `"compaction"` for partitions created by the compaction plugin. This allows external tooling such as `pyarrow` to distinguish how a partition was produced. ### Improved Clickhouse Usability Mar 11, 2026 路 [@IyeOnline](https://github.com/IyeOnline), [@codex](https://github.com/codex), [@mavam](https://github.com/mavam), [@raxyte](https://github.com/raxyte) 路 [#5897](https://github.com/tenzir/tenzir/pull/5897) The `to_clickhouse` operator now supports dynamic table names via an expression `table=...`, which must evaluate to a `string`. If the value is not a valid table name, the events will be dropped with a warning. With this change, the operator will also create a database if it does not exist. The prime use-case for this are OCSF event streams: ```tql subscribe "ocsf" ocsf::cast encode_variants=true, null_fill=true to_clickhouse table=f"ocsf.{class_name.replace(" ","_")}", ... ``` ### Install Tenzir via Homebrew on macOS Mar 8, 2026 路 [@mavam](https://github.com/mavam) 路 [#5876](https://github.com/tenzir/tenzir/pull/5876) You can now install Tenzir on Apple Silicon macOS via Homebrew: ```sh brew tap tenzir/tenzir brew install --cask tenzir ``` You can also install directly without tapping first: ```sh brew install --cask tenzir/tenzir/tenzir ``` The release workflow keeps the Homebrew cask in sync with the signed macOS package so installs and uninstalls stay current across releases. ## 馃敡 Changes ### Correct AWS Marketplace container image Mar 19, 2026 路 [@lava](https://github.com/lava) 路 [#5925](https://github.com/tenzir/tenzir/pull/5925) The AWS Marketplace ECR repository `tenzir-node` was incorrectly populated with the `tenzir` image. It now correctly ships `tenzir-node`, which runs a Tenzir node by default. If you relied on the previous behavior, you can restore it by setting `tenzir` as a custom entrypoint in your ECS task definition. ### Add Suricata schema types for IKE, HTTP2, PGSQL, and Modbus Mar 17, 2026 路 [@tobim](https://github.com/tobim) 路 [#5914](https://github.com/tenzir/tenzir/pull/5914) The bundled Suricata schema now covers the remaining event types listed in the Suricata 8.0.3 EVE JSON format documentation: IKE (IKEv1/IKEv2), HTTP/2, PostgreSQL, and Modbus. This completes Suricata 8 schema coverage for Tenzir. ## 馃悶 Bug Fixes ### Support long syslog structured-data parameter names Mar 19, 2026 路 [@mavam](https://github.com/mavam), [@codex](https://github.com/codex) The `read_syslog` operator and `parse_syslog` function now accept RFC 5424 structured-data parameter names longer than 32 characters, which some vendors emit despite the specification limit. For example, this message now parses successfully instead of being rejected: ```text <134>1 2026-03-18T11:00:51.194137+01:00 HOSTNAME abc 9043 23003147 [F5@12276 thx_f5_for_ignoring_the_32_char_limit_in_structured_data="thx"] broken example ``` This improves interoperability with vendor syslog implementations that exceed the RFC limit for structured-data parameter names. ### Fix batch timeout to flush asynchronously Mar 14, 2026 路 [@aljazerzen](https://github.com/aljazerzen) 路 [#5906](https://github.com/tenzir/tenzir/pull/5906) The batch timeout was only checked when a new event arrived, so a single event followed by an idle stream would never be emitted. The timeout now fires independently of upstream activity. ### Fix parse\_winlog batch splitting Mar 13, 2026 路 [@jachris](https://github.com/jachris) 路 [#5901](https://github.com/tenzir/tenzir/pull/5901) The `parse_winlog` function could fragment output into thousands of tiny batches due to type conflicts in `RenderingInfo/Keywords`, where events with one `` emitted a string but events with multiple emitted a list. Additionally, `EventData` with unnamed `` elements is now always emitted as a record with `_0`, `_1`, etc. as field names instead of a list. ### Optimize `in` operator and fix eq/neq null semantics Mar 12, 2026 路 [@jachris](https://github.com/jachris) 路 [#5899](https://github.com/tenzir/tenzir/pull/5899) The `in` operator for list expressions is up to 33x faster. Previously it created and finalized entire Arrow arrays for every element comparison, causing severe overhead for expressions like `EventID in [5447, 4661, ...]`. Additionally, comparing a typed null value with `==` now returns `false` instead of `null`, and `!=` returns `true`, fixing a correctness issue with null handling in equality comparisons. ### Fix secret comparison bypass in `in` operator fast path Mar 12, 2026 路 [@jachris](https://github.com/jachris) 路 [#5899](https://github.com/tenzir/tenzir/pull/5899) The `in` operator fast path now correctly prevents comparison of secret values. Previously, `secret_value in [...]` would silently compare instead of returning null with a warning, bypassing the established secret comparison policy. ### Fix pattern equality ignoring case-insensitive flag Mar 12, 2026 路 [@jachris](https://github.com/jachris) 路 [#5900](https://github.com/tenzir/tenzir/pull/5900) Pattern equality checks now correctly consider the case-insensitive flag. Previously, two patterns that differed only in case sensitivity were treated as equal, violating the hash/equality contract. ### Fix over-reservation in partition\_array for string/blob types Mar 12, 2026 路 [@jachris](https://github.com/jachris) 路 [#5899](https://github.com/tenzir/tenzir/pull/5899) Splitting Arrow arrays for string and blob types no longer over-reserves memory. Previously both output builders reserved the full input size each, using up to twice the necessary memory. [ Download on GitHub ](https://github.com/tenzir/tenzir/releases/tag/v5.29.2) [Get the release artifacts and source code.](https://github.com/tenzir/tenzir/releases/tag/v5.29.2)