# Tenzir Node v5.7.0 Tenzir Node v5.7.0 introduces a new secret type that keeps its sensitive content hidden while enabling flexible secret retrieval. This release also adds support for OCSF extensions and brings several improvements to the operator. ## 馃殌 Features ### Secrets Dec 17, 2025 路 [@IyeOnline](https://github.com/IyeOnline) 路 [#5065](https://github.com/tenzir/tenzir/pull/5065), [#5197](https://github.com/tenzir/tenzir/pull/5197) Tenzir now features a new first class type: `secret`. As the name suggests, this type contains a secret value that cannot be accessed by a user: ```tql from { s: secret("my-secret") } ``` ```tql { s: "***", // Does not render the secret value } ``` A secret is created by the `secret` function, which changes its behavior with this release. Operators now accept secrets where appropriate, most notably for username and password arguments, but also for URLs: ```tql let $url = "https://" + secret("splunk-host") + ":8088" to_splunk $url, hec_token=secret("splunk-hec-token") ``` However, a `string` is implicitly convertible to a `secret` in an operator argument, meaning that you do not have to configure a secret if you are fine with just a string literal: ```tql to_splunk "https://localhost:8088", hec_token="my-plaintext-token" ``` Along with this feature in the Tenzir Node, we introduced secret stores to the Tenzir Platform. You can now centrally manage secrets in the platform, which will usable by all nodes within the workspace. Read more about this in the release notes for the Tenzir Platform and our Explanations page on secrets. ### Preserving variants when using `ocsf::apply` Jul 1, 2025 路 [@jachris](https://github.com/jachris) 路 [#5312](https://github.com/tenzir/tenzir/pull/5312) The `ocsf::apply` operator now has an additional `preserve_variants` option, which makes it so that free-form objects are preserved as-is, instead of being JSON-encoded. Most notably, this applies to the `unmapped` field. For example, if `unmapped` is `{x: 42}`, then `ocsf::apply` would normally JSON-encode it so that it ends up with the value `"{\"x\": 42}"`. If `ocsf::apply preserve_variants=true` is used instead, then `unmapped` simply stays a record. Note that this means that the event schema changes whenever the type of `unmapped` changes. ### Enhanced file renaming in `from_file` operator Jun 30, 2025 路 [@dominiklohmann](https://github.com/dominiklohmann) 路 [#5303](https://github.com/tenzir/tenzir/pull/5303) The `from_file` operator now provides enhanced file renaming capabilities when using the `rename` parameter. These improvements make file operations more robust and user-friendly. **Directory creation**: The operator now automatically creates intermediate directories when renaming files to paths that don鈥檛 exist yet. For example, if you rename a file to `/new/deep/directory/structure/file.txt`, all necessary parent directories (`/new`, `/new/deep`, `/new/deep/directory`, `/new/deep/directory/structure`) will be created automatically. ```tql from_file "/data/*.json", rename=path => f"/processed/by-date/2024/01/{path.file_name()}" ``` **Trailing slash handling**: When the rename target ends with a trailing slash, the operator now automatically appends the original filename. This makes it easy to move files to different directories while preserving their names. ```tql // This will rename "/input/data.json" to "/output/data.json" from_file "/input/*.json", rename=path => "/output/" ``` Previously, you would have needed to manually extract and append the filename: ```tql // Old approach - no longer necessary from_file "/input/*.json", rename=path => f"/output/{path.file_name()}" ``` ### Support for OCSF extensions Jun 27, 2025 路 [@jachris](https://github.com/jachris) 路 [#5306](https://github.com/tenzir/tenzir/pull/5306) The `ocsf::apply` operator now supports OCSF extensions. This means that `metadata.extensions` is now also taken into account for casting and validation. At the moment, only the extensions versioned together with OCSF are supported. This includes the `win` and `linux` extensions. ### `save_tcp` now reconnects on network outages Jun 26, 2025 路 [@tobim](https://github.com/tobim) 路 [#5230](https://github.com/tenzir/tenzir/pull/5230) The `save_tcp` (`from "tcp://..."`) operator now tries to reconnect in case of recoverable errors such as network outages and in case the remote end disconnects. You can use the new options `retry_delay: duration` and `max_retry_count: int` to tune the behavior to your needs. The default values are set to 30 seconds and 10 times respectively. ### Add an option to add extra headers to the platform request Jun 26, 2025 路 [@lava](https://github.com/lava) 路 [#5287](https://github.com/tenzir/tenzir/pull/5287) The new option `tenzir.platform-extra-headers` causes the Tenzir Node to add the given extra HTTP headers when establishing the connection to the Tenzir Platform, for example to pass additional authentication headers when traversing proxies. You can set this variable either via configuration file: ```yaml tenzir: platform-extra-headers: Authentication: Bearer XXXX Proxy-Authentication: Bearer YYYY ``` or as environment variable: (note the double underscore before the name of the header) ```sh TENZIR_PLATFORM_EXTRA_HEADERS__AUTHENTICATION="Bearer XXXX" TENZIR_PLATFORM_EXTRA_HEADERS__PROXY_AUTHENTICATION="Bearer YYYY" ``` When using the environment variable version, the Tenzir Node always converts the name of the header to lowercase and converts underscores to dashes, so a header specified as `TENZIR_PLATFORM_EXTRA_HEADERS__EXTRA_HEADER=extra` will be sent as `extra-header: extra` in the HTTP request. ## 馃敡 Changes ### The `secret` function returns secrets Dec 17, 2025 路 [@IyeOnline](https://github.com/IyeOnline) 路 [#5065](https://github.com/tenzir/tenzir/pull/5065), [#5197](https://github.com/tenzir/tenzir/pull/5197) The `secret` function now returns a `secret`, the strong type introduced in this release. Previously it returned a plaintext `string`. This change protects secrets from being leaked, as only operators can resolve secrets now. If you want to retain the old behavior , you can enable the configuration option `tenzir.legacy-secret-model`. In this mode, the `secret` function can only resolve secrets from the Tenzir Node鈥檚 configuration file and not access any external secret store. ### Kafka operators now automatically configure SASL mechanism for AWS IAM Jul 1, 2025 路 [@raxyte](https://github.com/raxyte) 路 [#5307](https://github.com/tenzir/tenzir/pull/5307) The `load_kafka` and `save_kafka` operators now automatically set `sasl.mechanism` option to the expected `OAUTHBEARER` when using the `aws_iam` option. If the mechanism has already been set to a different value, an error is emitted. ### TQL2 support in compaction plugin Jun 25, 2025 路 [@jachris](https://github.com/jachris) 路 [#5302](https://github.com/tenzir/tenzir/pull/5302) The pipelines defined as part of the compaction configuration can now use TQL2. For backwards-compatibility, TQL1 pipelines still work, but they are deprecated and emit a warning on start-up. ## 馃悶 Bug Fixes ### `from_file` with a per-file sink Jun 30, 2025 路 [@dominiklohmann](https://github.com/dominiklohmann) 路 [#5303](https://github.com/tenzir/tenzir/pull/5303) The `from_file` operator no longer fails when its per-file pipeline argument is a sink. Before this fix, the following pipeline which opens a new TCP connection per file would not work: ```tql from_file "./*.csv" { read_csv write_ndjson save_tcp "localhost:8080" } ``` ### Fixed shutdown hang during storage optimization Jun 30, 2025 路 [@IyeOnline](https://github.com/IyeOnline) 路 [#5301](https://github.com/tenzir/tenzir/pull/5301) Nodes periodically merge and optimize their storage over time. We fixed a hang on shutdown for nodes while this process was ongoing. [ Download on GitHub ](https://github.com/tenzir/tenzir/releases/tag/v5.7.0) [Get the release artifacts and source code.](https://github.com/tenzir/tenzir/releases/tag/v5.7.0)