Jun 11, 2026 · @avaq, @jachris
The Platform frontend can now export OpenTelemetry traces over OTLP, giving operators end-to-end visibility into the requests its backend handles.
Enable tracing and point it at your OTLP collector:
PUBLIC_ENABLE_TRACING=true
OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4318
Traces are sent to ${OTEL_EXPORTER_OTLP_ENDPOINT}/v1/traces by default. Set OTEL_EXPORTER_OTLP_TRACES_ENDPOINT to override the traces endpoint directly.
When exporting to a collector that requires authentication, supply headers as comma-separated key=value pairs:
OTEL_EXPORTER_OTLP_HEADERS="authorization=Bearer <token>,x-tenant=acme"
Jun 3, 2026 · @gitryder
We improved the Stream view by displaying fields that are shared across all schemas in dedicated columns. Timestamps are the first supported field, making it easier to scan and compare at a glance while still allowing you to expand rows to view the full event. When no shared timestamp field is available, Stream view continues to use the existing layout.
Jun 22, 2026 · @avaq
The Platform configuration variable PUBLIC_USE_INTERNAL_WS_PROXY no longer
has any effect. The platform now behaves as though this setting is always
enabled: All connections to the Websocket Gateway are now proxied through the
App Server ("BFF").
The PUBLIC_WEBSOCKET_GATEWAY_ENDPOINT variable that used to configure the
direct Gateway connection is now used as a fallback for when the
PRIVATE_WEBSOCKET_GATEWAY_ENDPOINT isn't defined.
Jun 4, 2026 · @avaq
We overhauled the frontend's login and session handling. Compared to the previous release:
Jun 19, 2026 · @gitryder
Previously, after saving an edit on the pipeline detail page, the Cancel/Update bar would briefly reappear for about a second before disappearing again, even though nothing had changed. The bar now hides on a successful save and stays hidden until you make a new edit.
Jun 18, 2026 · @avaq
The main menu links (Pipelines, Explorer, Contexts, and Library) now navigate correctly from all pages in the app. Previously, some pages would always link to the Pipelines page, even when clicking one of the other items.
Jun 16, 2026 · @Zedoraps, @claude
The Library tab now loads reliably after a previous attempt was interrupted by a page reload or navigation. Previously the tab could get stuck at "Loading…" indefinitely until the browser session was cleared.
Jun 16, 2026 · @Zedoraps, @claude
The Explorer's Examples drawer no longer hangs at "Loading…" on Tenzir
Nodes that have installed packages whose examples are missing a name
or description (for instance several mappers under microsoft/,
fortinet/, otel/, and zscaler/ in the Tenzir Library).
Jun 16, 2026 · @avaq
The documentation panel should now show the documentation website again, instead of a white page.
Jun 9, 2026 · @gitryder
We fixed an issue where the pipeline detail page could get stuck on loading skeletons when a node disconnected. The page now stays open and keeps showing the pipeline's definition along with a notice that the node is disconnected, and recovers automatically once the node reconnects.
Jun 4, 2026 · @gitryder
Previously, when a workspace was removed from the static configuration file, dashboards that users had created within that workspace were left behind as orphaned records in the database. These could resurface if a new workspace later reused the same workspace ID. Removing a static workspace now also deletes these user-created dashboards.
Jun 3, 2026 · @tobim, @claude · #184
Downloading results from the Explorer now works on Tenzir Nodes v6+ that are
configured to run pipelines on the legacy execution engine (tenzir.neo: false). Previously, preparing the download failed on such nodes because the
pipeline that uploads the results relied on functionality that is only
available in the new execution engine. The download pipeline now always runs
on the new execution engine, regardless of the node's configuration.
Jun 22, 2026 · @mavam, @codex · #31
The changelog-entry skill no longer suggests passing --pr in the default tenzir-ship add command before a pull request number exists. Agents can rely on PR auto-inference once a pull request is open, or backfill prs after filing the PR.
Jun 18, 2026 · @mavam, @codex · #30
The release create command now keeps supported package lockfiles in sync when it updates package manifest versions.
When a sibling package-lock.json exists, tenzir-ship updates the lockfile root package version metadata alongside package.json, including already-current manifests with stale lockfiles. When a sibling uv.lock exists next to pyproject.toml, tenzir-ship runs uv lock after updating the manifest so uv regenerates the lockfile metadata. This keeps generated release commits consistent without requiring every workflow caller to add package-manager-specific post-create hooks.
Jun 2, 2026 · @IyeOnline, @codex
Parallel suites now start each reserved batch of tests together, making publisher/subscriber and other interdependent pipeline suites more reliable.
Use the existing suite.mode: parallel configuration:
suite:
name: pipeline-suite
mode: parallel
min_jobs: 2
When enough jobs are available for the whole suite, all suite members start
together. When the suite is larger than --jobs, the harness runs synchronized
batches instead.
release create now keeps unreleased/ anchored after consuming entries so Git no longer moves changelog entries from long-lived branches into the just-created release during rebases or merges.
This prevents entries for unreleased work from accidentally appearing in release notes that were already cut.
]]>Jun 10, 2026 · @mavam, @claude · #23
Added tenzir-cef, a generated ArcSight CEF (Common Event Format) reference skill for generating, parsing, and mapping CEF events, bundled with the ArcSight ESM event schema behind the format.
The skill exposes all 174 predefined extension keys from the OpenText extension dictionary as YAML — exact key spelling, expanded full name, data type, length, producer/consumer audience, and the CEF specification version that introduced each key — alongside the full ESM event schema: 479 data fields across 18 groups with labels, script aliases, types, and turbo levels. Extension keys whose full name resolves to an ESM script alias are crosswalked to their schema groups. Markdown guidance covers the CEF header, severity, character escaping, special mappings, user-defined extensions, and date formats. Upstream quirks, such as the duplicated dmac row and mid-word line-wrap artifacts in key names, are normalized and documented in the source notes.
Jun 10, 2026 · @mavam, @claude · #20
Added tenzir-leef, a generated IBM QRadar LEEF (Log Event Extended Format) reference skill for generating, parsing, and mapping LEEF 2.0 events.
The skill exposes all 45 predefined event attributes as YAML — exact key spelling, value type, normalization behavior, attribute limits, and reserved status — plus Markdown guidance for the syslog and LEEF headers, delimiter rules, custom event keys, and devTime/devTimeFormat timestamp patterns. Spec quirks published by IBM, such as the identSecondlp typo, are preserved verbatim and annotated.
Jun 10, 2026 · @mavam, @claude · #21
Added tenzir-edm, a generated FortiSIEM Event Data Model reference skill for mapping events into Fortinet's normalized event attributes.
The skill covers all 21 data models of the FortiSIEM 7.5.0 Event Data Model documentation, exposing event attributes with types, display names, descriptions, and cross-model usage as YAML, plus Markdown copies of the upstream Fortinet pages for audit.
Added tenzir-ecs, a generated Elastic Common Schema reference skill for mapping logs and security telemetry into ECS.
The skill exposes ECS fields, fieldsets, categorization values, field reuse metadata, and ECS/OpenTelemetry relations as YAML, with curated upstream Markdown guidance for categorization, network mapping, custom fields, cloud and service context, threat indicators, and user modeling.
Jun 6, 2026 · @mavam, @codex · #15
Added tenzir-cim, a generated Splunk Common Information Model reference skill for mapping security telemetry to CIM.
The generator takes an unpacked Splunk_SA_CIM app directory as input and emits agent-native YAML catalogs for CIM data models, datasets, effective fields, constraints, calculated fields, and lookup-backed values, translations, and enrichments. The generated skill also bundles core Splunk CIM 8.5 documentation as reference-only prose while keeping the app-derived YAML authoritative.
Jun 4, 2026 · @mavam, @codex · #11, #17
Added tenzir-asim, a Microsoft Sentinel ASIM reference skill for mapping security telemetry to ASIM.
The generated reference currently covers 12 event schemas, 1 entity schema, 539 distinct fields, 1,426 schema field records, and 73 alias records from Microsoft Defender Docs. It now emits agent-native YAML catalogs, schema files, field files, alias data, and guidance data so agents can choose target ASIM schemas and map source telemetry with less context-window overhead.
Jun 10, 2026 · @mavam, @claude · #22
The tenzir-design-system skill is now the canonical home of the Tenzir design system and supports many consumers beyond Platform CSS: plain CSS, Tailwind, Quarto documents, slide decks, and Mermaid/Graphviz diagrams.
Token values now live in machine-readable YAML: data/brand.yml follows Quarto's brand.yml schema and can be consumed directly via brand: data/brand.yml, while data/tokens.yml carries the extended tokens (spacing, radius, type scale, shadows, motion, z-index, breakpoints, and a dark-mode mapping). Markdown references explain how to choose tokens; per-tool guides under references/tools/ provide ready-to-use CSS custom properties, Tailwind v4/v3 configuration, a shadcn/ui theme, and diagram/slide styling.
Jun 7, 2026 · @mavam, @codex · #18
The Google UDM skill is now installed and referenced as tenzir-udm.
Use the new skill name when installing it directly:
npx skills add tenzir/skills@tenzir-udm
Jun 7, 2026 · @mavam, @codex · #16
The Google UDM skill now exposes record definitions as YAML leaves rather than Markdown message pages. Record YAML uses data-centric type shapes such as list<T>, optional<T>, map<K, V>, variant, and field unions, making event and entity fields easier for agents to scan when mapping logs into UDM.
Jun 6, 2026 · @mavam, @codex · #14
The Google UDM skill now clarifies that Entity Type Guidance values such as USER or ASSET belong to the Entity object's metadata.entity_type / metadata.entityType, while entities.import uses a separate inlineSource.logType for the context source, such as AZURE_AD_CONTEXT.
Jun 12, 2026 · @mavam, @claude · #6352
Field-typed parameters of user-defined operators now accept selectors as defaults in the TQL frontmatter, such as this, this.name, or foo.bar. Previously, the only allowed default for a field parameter was null.
For example, this operator wraps a field into a record and operates on the entire event when no argument is given:
---
args:
named:
- name: field
type: field
default: this
---
this = {wrapped: $field}
Calling the operator without arguments wraps the whole event, while passing field=name wraps just that field. This makes it easy to write mapping operators that work on the full event by default but can be scoped to a subrecord on demand.
Jun 8, 2026 · @mavam, @codex · #6262
The from_kafka operator can now consume from topics selected by a regular
expression when the topic argument starts with ^:
from_kafka "^tenant-.*\\.alerts$", offset="beginning"
This lets one pipeline consume matching Kafka topics without listing each topic separately.
As part of this change, from_kafka now consumes all topics—exact and
regex—through Kafka's consumer group subscription. This has two visible
effects. First, pipelines that share a group.id (default: tenzir) now split
the partitions of a topic among themselves instead of each receiving every
message; give each pipeline its own group.id to keep full copies. Second,
partition assignments now follow group rebalances, so they may shift when
pipelines with the same group.id start or stop. The exit option is not
available for regex topics, because a regex subscription has no bounded set of
partitions to reach the end of.
Jun 5, 2026 · @zedoraps, @claude · #6261
The new drop_null_fields function strips fields whose value is null from a
record, mirroring the existing drop_null_fields operator. This lets you clean
optional fields inline in expressions, for example
from_http "...", body=drop_null_fields({license: $license, version: 1, mapping: $mapping}).
May 15, 2026 · @mavam, @codex · #6188
Tenzir can now read from and write to Amazon Kinesis data streams with the from_amazon_kinesis and to_amazon_kinesis operators:
from_amazon_kinesis "telemetry", start="trim_horizon"
this = string(message).parse_json()
read_ndjson
// ... transform events ...
to_amazon_kinesis "telemetry", partition_key=src_ip
The operators support existing AWS IAM configuration and endpoint overrides for local testing environments such as LocalStack.
Jun 3, 2026 · @raxyte, @codex · #6216
The to_google_secops operator now uses the Chronicle logs.import,
events.import, and entities.import APIs instead of the legacy unstructured
ingestion API.
The operator now targets a SecOps instance with project, region, and
instance, authenticates with Google Cloud OAuth2 credentials, and supports raw
log ingestion with mode="raw_log", UDM event ingestion with mode="udm_event", and
entity ingestion with mode="udm_entity".
Jun 12, 2026 · @mavam, @codex · #6188
The to_opensearch and to_amazon_cloudwatch sinks now reliably flush partial batches after their configured timeout while the pipeline continues to run.
Previously, concurrent wakeups could race with batch deadline updates, which could cause timeout-based flushes or CloudWatch send-completion handling to be missed.
Jun 12, 2026 · @mavam, @codex · #6188
AWS-backed operators that issue parallel signed HTTP requests now send concurrent requests over separate pooled connections.
Previously, HTTP/1.1 request pipelining could serialize parallel requests behind a single connection, so parallel settings for sinks such as to_amazon_cloudwatch did not provide the intended concurrency.
Jun 10, 2026 · @aljazerzen, @claude · #6270
Filters inside a parallel { … } subpipeline no longer escape past the
parallel operator during optimization.
Previously, a filter such as the where below was lifted out of the
subpipeline and applied before parallel:
parallel { where x > 1 | ... }
The filter now stays inside the subpipeline, where it belongs, so it runs
distributed across the parallel jobs. Filters from downstream of parallel are
still pushed into the subpipeline as before.
Jun 9, 2026 · @Zedoraps · #6267
The accept_http, accept_opensearch, and serve_http operators no longer
abort the node when they fail to bind their endpoint. Starting a second
pipeline on a port that is already in use—or restarting one before the
previous instance has released its socket—previously crashed the entire node
process. Now the operator emits a regular diagnostic:
error: failed to start HTTP server: failed to bind to async server socket:
0.0.0.0:8774: Address already in use
The pipeline that hit the conflict exits with an error while every other pipeline running on the node keeps going.
Jun 8, 2026 · @mavam, @jachris, @codex · #6264
Package UDO field parameters now support assignment through field accesses. This lets package operators write to nested fields of a field argument using dot syntax, string-literal bracket syntax, or dynamic index expressions.
For example, this package UDO body is now valid:
$field.subfield = $value
$field["quoted-field"] = $value
$field[$key] = $value
This is useful for mapping operators that accept an event= target and need to keep temporary state under that target instead of creating top-level scratch fields.
Jun 5, 2026 · @mavam, @codex · #27
The changelog validation workflow now appears as Validate changelog in GitHub status checks instead of the raw job id validate, making required branch checks easier to identify.
The bundled agent skill now tells release automation to preserve published changelog history while still allowing clearly related unreleased entries to be merged before release.
Historical release notes, manifests, and released entry files are treated as immutable records, with edits reserved for explicit severe publication fixes. For unreleased work, agents now check whether a related entry already exists and merge it instead of creating duplicate changelog entries, reconciling the title, type, and description while appending distinct authors, pull request numbers, and components.
The merge guidance now requires a clear relationship based on the user-facing outcome, not just nearby implementation work, shared files, authors, or PR timing. Ambiguous changes should get a separate entry, and unrelated unreleased entries must remain untouched.
Promoting a release candidate to a stable release now folds in changelog entries added to unreleased/ after the last candidate snapshot. The folded entries appear in the release manifest and notes, and are consumed from the unreleased queue. Previously they were silently left behind and missing from the stable release notes. The confirmation table now marks entries carried over from the candidate with a dim bullet and newly folded entries with a plus sign.
window operator for event-time windowing, which groups streaming events into configurable time windows driven by event timestamps rather than wall-clock time. It also adds several new operators — ai::prompt for LLM integration, from_microsoft_sql for SQL Server reads, and to_prometheus for Prometheus Remote Write — along with Crypto-PAn decryption and multiple reliability fixes.
Jun 6, 2026 · @mavam, @codex · #6259
The new decrypt_cryptopan function decrypts IP addresses that were encrypted
with encrypt_cryptopan and the same seed. The function can also force the
Crypto-PAn domain with family="ipv4" or family="ipv6" when decrypting an
ambiguous ciphertext.
Jun 4, 2026 · @jachris · #6253
The new window operator groups streaming events into event-time windows and
runs a subpipeline for each window:
window size=10min, every=1min, on=ts {
summarize failures=count()
start = $window.start
end = $window.end
}
Unlike every, which reruns a subpipeline on a wall-clock schedule, window
operates on event time: it assigns each event to windows by the timestamp
that on evaluates to, and its internal clock is driven entirely by the
timestamps of the incoming events. Windows are aligned to the Unix epoch and are
either tumbling (omit every) or overlapping/hopping (every < size).
tolerance sets how much out-of-order lag the clock waits for before a window
closes; events that arrive after their window closed are dropped with a warning.
idle_timeout makes window also well suited to low-volume streams: a window
is emitted once it has been inactive for the given duration, so results arrive
promptly even when the next event is far off, instead of waiting for it or for
the end of the input.
Each window's $window.start and $window.end are available inside the
subpipeline, which may also end in a sink.
Jun 1, 2026 · @aljazerzen, @codex · #6243
TQL now includes read_chunks and write_chunks for converting between byte streams and records with a bytes field.
For example, you can capture arbitrary output as records and turn it back into a byte stream later:
from {line: "hello"}, {line: "world"}
write_lines
read_chunks
write_chunks
read_lines
This makes it easier to inspect, buffer, transform, and roundtrip chunked byte streams inside a pipeline.
May 28, 2026 · @mavam, @codex · #6260
The new ai::prompt operator sends each input event to an OpenAI-compatible
Responses API endpoint and writes a result record back into the event:
from {message: "summarize this"}
ai::prompt model="gpt-4.1-mini"
By default the operator serializes this as compact JSON, writes the generated
text plus model, token usage, and latency metadata to ai.prompt, and uses the
local Ollama endpoint at
http://127.0.0.1:11434/v1. Override endpoint to use another
OpenAI-compatible service.
May 26, 2026 · @tobim, @codex · #6221
The new from_microsoft_sql operator reads rows from Microsoft SQL Server:
from_microsoft_sql table="dbo.users",
host="sql.example.net",
user="tenzir",
password=secret("mssql-password"),
database="telemetry"
It supports table reads, custom sql or query statements, schema inspection with show="tables" and show="columns", SQL authentication, secret-backed passwords, TLS, and live polling via integer tracking columns. Result decoding covers SQL Server scalar values including integers, booleans, floats, decimals, money values, strings, binary data, uniqueidentifier, date/time values, XML, and JSON stored as text.
May 15, 2026 · @mavam, @codex · #6189
The new to_prometheus operator sends metric events to Prometheus Remote Write receivers.
For example:
from {
metric: "http_requests_total",
value: 42,
timestamp: 2026-05-15T10:00:00Z,
labels: {method: "GET", status: 200},
}
to_prometheus "https://prometheus.example/api/v1/write"
The operator supports Prometheus Remote Write v1 by default and can send Remote Write v2 payloads with protobuf_message="io.prometheus.write.v2.Request".
Jun 6, 2026 · @mavam, @codex · #6258
Spreading null into a list no longer emits a warning. This makes optional list-building expressions work without an explicit else [] fallback:
from {xs: null}
items = [1, ...xs, 2]
The expression produces [1, 2], and concatenate, append, and prepend follow the same warning-free behavior for null list inputs.
Jun 9, 2026 · @tobim, @codex · #6268
Tenzir Nodes now connect to the Tenzir Platform during startup before waiting for the local index to become available. Previously, Platform connectivity could be delayed while the index was still initializing.
Jun 9, 2026 · @jachris · #6265
A where filter that checks for a substring with the literal on the left, such
as where "TRAFFIC" in log, incorrectly removed every event when reading from
subscribe. Such filters now match correctly again.
Jun 5, 2026 · @jachris · #6256
Calling the map or where list functions with a non-lambda argument now
fails with a clear expected a lambda diagnostic instead of aborting the
pipeline with an internal error.
For example, the following pipeline previously crashed and now reports a proper error:
from {xs: [1, 2, 3]}
xs = xs.map(null)
Jun 2, 2026 · @tobim, @codex · #6216
Rebuilds now limit how much partition data they load into memory at once.
This reduces the risk that automatic rebuilds or tenzir-ctl rebuild start
cause the node to run out of memory when many partitions are selected.
When memory is scarce, rebuilds load fewer partitions in one batch and retry the remaining partitions later instead of materializing the full selected input set up front.
Jun 2, 2026 · @tobim, @codex · #6248
Tenzir now validates all configured and packaged pipelines before starting any of them during node startup. Previously, a deployment with multiple configured pipelines could start some valid pipelines and only then abort after discovering that a later pipeline was invalid.
]]>Jun 4, 2026 · @mavam, @codex · #12
The tenzir-google-udm skill now shows both UDM field spellings when they differ, so mapping and detection workflows can use the same reference.
For example, generated field headings now show event_type / eventType and security_result / securityResult. Use the right side when mapping logs into UDM event or entity objects for Google SecOps UDM API ingestion; use the left side in YARA-L, Detect Engine, CBN, and other dotted field-path contexts.
Jun 5, 2026 · @mavam, @codex · #13
The tenzir-manage-packages skill now focuses on package lifecycle management instead of package content development.
It routes agents through package surfaces such as manifests, UDO files, pipelines, examples, tests, changelog entries, and publishing while leaving operator implementation details to the relevant docs or specialized skills.
]]>The package creation workflow is now centered on tenzir-create-package, a single skill for building library-quality Tenzir packages with UDOs, tests, examples, disabled-by-default pipelines, inputs, contexts, and optional OCSF mappings.
Before:
npx skills add tenzir/skills@tenzir-create-parser-package
npx skills add tenzir/skills@tenzir-create-ocsf-mapping
After:
npx skills add tenzir/skills@tenzir-create-package
Use the new skill for parser package work, OCSF mapping work, and broader package development.
Added tenzir-google-udm, a generated Google SecOps UDM schema and
normalization guidance skill derived from the canonical googleapis/googleapis
UDM and Entity protocol buffers plus targeted Google SecOps usage guidance.
PRIVATE_JWT_FROM_HEADER option were redirected to the login page when opening a workspace. Header-based authentication now loads workspaces correctly again.
Jun 2, 2026 · @lava
We fixed a regression introduced in v1.33.0 where users authenticating via the
PRIVATE_JWT_FROM_HEADER option were redirected to the login page (showing a
"Sign In" button) when opening a workspace, even though a valid JWT was supplied
in the configured header.
The workspace loader looked for the ID token in the session data, which is empty for header-based authentication. It now reads the token from the configured header, which is the authoritative source in that mode, so workspaces load correctly again.
]]>May 31, 2026 · @mavam, @codex · #6242
Package UDO argument types now use TQL type names, such as int, uint, and
float, instead of legacy names such as int64, uint64, and double. List
types use TQL syntax, for example type: "[int]" in YAML.
For example, a package operator argument like this now materializes $limit
as int64:
args:
named:
- name: limit
type: int
default: 1000
Apr 30, 2026 · @raxyte · #5766
The from_gcs operator has been renamed to from_google_cloud_storage so
that its name matches the new to_google_cloud_storage writer:
// Before:
from_gcs "gs://my-bucket/data/**.json"
// After:
from_google_cloud_storage "gs://my-bucket/data/**.json"
Update test suites that reference from_gcs in requires.operators
accordingly.
The default message expression of the to_kafka operator is now
this.print_ndjson() instead of this.print_json(). Kafka messages are
single-line records by default, so each event is now emitted as a single
NDJSON line:
{"timestamp":"2024-03-15T10:30:00.000000","source_ip":"192.168.1.100","alert_type":"brute_force"}
instead of pretty-printed multi-line JSON.
To restore the previous behavior, pass message=this.print_json()
explicitly.
The yara operator no longer accepts the blockwise argument. Instead, it
buffers the entire input as one contiguous byte sequence and runs the YARA
scan when the input ends. Matches can therefore span chunk boundaries, but
yara is now only suitable for finite byte streams. Don't use it on
never-ending inputs.
The rule argument now also accepts a single string in addition to a list
of strings:
from_file "evil.exe", mmap=true {
yara "rule.yara"
}
Removed:
yara ["rule.yara"], blockwise=true
Apr 30, 2026 · @aljazerzen · #5880
The measure operator no longer accepts the real_time argument. The
operator's emission cadence is now governed entirely by the executor's
backpressure, so the option no longer has a meaningful effect.
Remove real_time=true or real_time=false from your pipelines:
// Before:
measure real_time=true
// After:
measure
Apr 30, 2026 · @raxyte · #6001
The filesystem and cloud object reader operators (from_file, from_s3,
from_azure_blob_storage, from_google_cloud_storage) no longer accept the
path_field option. Instead, the parsing subpipeline now has access to a
$file let-binding describing the source file:
| Field | Type | Description |
| :------ | :------- | :--------------------------------------- |
| path | string | The absolute path of the file being read |
| mtime | time | The last modification time of the file |
To attach the source path to each event:
// Before:
from_file "/data/*.json", path_field=source
// After:
from_file "/data/*.json" {
read_json
source = $file.path
}
This makes per-file metadata available throughout the parsing subpipeline rather than only on emitted events.
Apr 30, 2026 · @aljazerzen · #5953
The from_http operator no longer doubles as an HTTP server. It is now a
pure HTTP client that issues one request and returns the response.
For accepting incoming HTTP requests, use the dedicated accept_http
operator instead:
// Before:
from_http "0.0.0.0:8080", server=true { read_json }
// After:
accept_http "0.0.0.0:8080" { read_json }
In the parsing subpipeline, the response metadata is now exposed as the
$response let-binding instead of being written into a metadata_field:
from_http "https://api.example.com/status" {
read_json
status_code = $response.code
server = $response.headers.Server
}
Additionally, the url and headers arguments are now resolved as
secrets, so you can pass
secret names instead of hardcoding tokens or sensitive URLs.
Apr 30, 2026 · @aljazerzen · #6066
The new accept_opensearch operator starts an OpenSearch-compatible HTTP
server and turns incoming Bulk API requests into events:
accept_opensearch "0.0.0.0:9200"
publish "events"
The operator buffers each bulk request body up to max_request_size,
optionally decompresses it based on the Content-Encoding header, parses the
NDJSON payload, and emits the resulting records. Set keep_actions=true to
also keep the OpenSearch action objects (e.g., {"create": ...}) in the
stream.
The from_opensearch operator has been removed. Use accept_opensearch
instead. The elasticsearch:// and opensearch:// URL schemes now dispatch
to accept_opensearch via from.
Two new operators provide first-class FTP and FTPS support with parsing and printing subpipelines:
from_ftp downloads bytes from an FTP or FTPS server and forwards them to
the parsing subpipeline.to_ftp uploads bytes produced by the printing subpipeline to an FTP or
FTPS server.from_ftp "ftp://user:pass@ftp.example.org/path/to/file.ndjson" {
read_ndjson
}
to_ftp "ftp://user:pass@ftp.example.org/a/b/c/events.ndjson" {
write_ndjson
}
The load_ftp and save_ftp operators have been removed, and the ftp://
and ftps:// URL schemes no longer dispatch via from and to. Use
from_ftp and to_ftp directly.
May 30, 2026 · @mavam, @codex · #6240
Tenzir now supports Unix stream sockets in the new executor with three dedicated operators:
from_unix_socket connects to a Unix domain socket and parses incoming bytes.accept_unix_socket listens on a socket path and parses each accepted client stream.to_unix_socket connects to a socket path and writes serialized bytes.These operators replace the previous uds=true options on from_file and
to_file. Use from_unix_socket or to_unix_socket for Unix domain socket clients, and keep
from_file and to_file for regular filesystem and object-storage access.
accept_unix_socket "/run/collector.sock" {
read_json
}
to_unix_socket "/run/collector.sock" {
write_ndjson
}
May 28, 2026 · @mavam, @codex · #6237
The sort function now recursively sorts record fields wherever they occur in
the sorted value, including records inside lists. Nested list element order is
preserved unless the list itself is being sorted.
The new write_delimited operator writes one string or blob value per
event and appends a separator after each value:
from {data: "a"}, {data: "b"}
to_stdout {
write_delimited data, "|"
}
This outputs:
a|b|
This lets you frame compact JSON, GELF over TCP with a null byte, or other preformatted messages without adding escaping or serialization in the byte writer.
The neo to_splunk implementation now accepts queue="indexing" and
queue="typing" for selecting the Splunk HEC processing queue. The default
indexing path keeps Splunk's regular HEC behavior, while typing sends the
Splunk parsingQueue hint in HEC event envelopes for receivers that support
this non-standard HEC metadata.
The default is queue="indexing". The typing queue is rejected with
raw=..., because Splunk's raw HEC endpoint sends raw requests to the indexer
queue.
May 18, 2026 · @jachris, @claude
The read_csv, read_tsv, read_ssv, and read_xsv operators now accept an
auto_fill=true option. When set, the parser silently fills missing trailing
columns with null instead of emitting a warning, which is useful when working
with feeds that legitimately omit optional trailing fields.
May 17, 2026 · @mavam, @codex · #6193
The from_http operator now supports returning request records from
paginate lambdas. This lets APIs keep pagination state in the next request
body or headers instead of only in the next URL:
from_http "https://opensearch.example.com/logs/_search",
method="post",
body={size: 500, query: {match_all: {}}},
paginate=(x => {
body: {
size: 500,
query: {match_all: {}},
search_after: x.hits.hits[-1].sort,
},
} if x.hits.hits != []) {
read_json
}
Returned request records can patch url, method, headers, and body.
Missing fields inherit from the current request, and body: null clears the
body.
May 16, 2026 · @mavam, @codex · #6190
The metrics operator now accepts shape="prometheus" to emit metrics from
metrics plugins as canonical {metric, value, timestamp, labels, type, unit}
records. The default remains shape="raw", which preserves the existing
tenzir.metrics.* schemas.
The new write_all operator concatenates one selected string or blob field
into raw bytes:
from_file "/tmp/report.pdf" {
read_all binary=true
}
to_file "/tmp/report-copy.pdf" {
write_all data
}
Use it to copy binary payloads, reconstruct byte streams after event processing, or write string fields without separators or escaping.
May 15, 2026 · @mavam, @codex · #6181
The new repeat function repeats a string a given number of times:
message = "na".repeat(8)
{
message: "nananananananana",
}
May 15, 2026 · @mavam, @codex · #6186
The from_http operator now accepts requests without an explicit parser
subpipeline when Tenzir can infer the response format from the Content-Type
header or URL extension:
from_http "https://example.com/events.json"
Explicit parser subpipelines continue to take precedence over inferred formats.
May 14, 2026 · @mavam, @codex · #6180
Tenzir now supports reading from and writing to CloudWatch Logs with the new
from_amazon_cloudwatch and to_amazon_cloudwatch operators. The source can
subscribe to live streams with mode="live", search historical log groups with
mode="search", or replay one stream with mode="replay".
from_amazon_cloudwatch "/aws/lambda/api", mode="search", filter="ERROR"
The default sink can send events with PutLogEvents, including configurable
batching, timestamp handling, parallel requests, and AWS IAM authentication via
aws_iam. The sink can also write to the CloudWatch HTTP ingestion endpoints by
setting method to json, ndjson, or hlc, with either SigV4 or bearer-token
authentication.
to_amazon_cloudwatch "/tenzir/events",
stream="default",
payload=message,
timestamp=ts
May 13, 2026 · @mavam, @codex · #6167, #6174
The from_sqs operator now gives you explicit control over how messages are
received from SQS. Use keep_messages=true to inspect or replay messages
without removing them from the queue, batch_size=<1..10> to control how many
messages each receive request may return, and visibility_timeout=<duration> to
override the queue visibility timeout for received messages:
from_sqs "events", keep_messages=true, batch_size=10, visibility_timeout=30s
By default, from_sqs keeps deleting each received message after emitting it.
With keep_messages=true, SQS makes the message visible again after the queue's
visibility timeout.
May 13, 2026 · @mavam, @codex · #6167, #6174
The from_amazon_sqs operator now gives you explicit control over how messages
are received from SQS. Use keep_messages=true to inspect or replay messages
without removing them from the queue, batch_size=<1..10> to control how many
messages each receive request may return, and visibility_timeout=<duration> to
override the queue visibility timeout for received messages:
from_amazon_sqs "events", keep_messages=true, batch_size=10,
visibility_timeout=30s
By default, from_amazon_sqs keeps deleting each received message after
emitting it. With keep_messages=true, SQS makes the message visible again
after the queue's visibility timeout.
May 12, 2026 · @mavam, @codex · #6165, #6179, #6182
Tenzir now includes a Microsoft Graph source operator for reads from Microsoft Graph v1.0 and beta collections with app-only Microsoft Entra authentication and OData pagination.
For example, you can read Entra ID sign-in logs with client credentials and push down OData query options:
from_microsoft_graph "auditLogs/signIns",
auth={
tenant_id: "contoso.onmicrosoft.com",
client_id: "00000000-0000-0000-0000-000000000000",
client_secret: secret("ms-graph-client-secret"),
},
odata={
filter: "createdDateTime ge 2026-04-24T00:00:00Z",
select: ["id", "createdDateTime", "userPrincipalName", "status"],
top: 1000,
}
The operator emits each object from the response value array as a separate event and follows @odata.nextLink until the collection is exhausted.
The operator can also use Microsoft Graph delta queries with delta=true, storing the returned @odata.deltaLink in memory and polling it with a configurable poll_interval. OData query options apply to the initial delta request only, subject to Microsoft Graph's resource-specific support, and subsequent polls use the opaque delta link exactly as Microsoft Graph returned it.
It also retries throttled and transient Microsoft Graph requests, respecting Retry-After when present.
May 12, 2026 · @mavam, @codex · #6160
Pipeline metrics now report event throughput alongside byte throughput for pipelines running on the new executor:
metrics "pipeline"
summarize ingress_events=sum(ingress.events), ingress_bytes=sum(ingress.bytes), egress_events=sum(egress.events), pipeline_id
sort -egress_events
This makes node metrics distinguish the amount of data transferred from the number of events processed.
May 8, 2026 · @IyeOnline, @codex · #6152
The new internal_memory_size function estimates the size of each event in
bytes:
size = internal_memory_size(this)
This is useful for building pipelines that inspect or route events based on their approximate in-memory payload size.
May 8, 2026 · @mavam, @codex · #6139
from_amqp now accepts a queue_arguments record for RabbitMQ queue declaration arguments:
from_amqp "amqp://broker/vhost",
queue="events",
queue_arguments={
"x-queue-type": "quorum",
"x-quorum-initial-group-size": 3
}
Use this to declare queues with broker-specific settings such as quorum queues, maximum lengths, message TTLs, single active consumers, and dead-letter exchanges.
TQL now supports statement-level match blocks for branching on patterns:
match action {
"accept" | "allow" => { verdict = "allowed" }
"deny" | "drop" => { verdict = "blocked" }
_ => { verdict = "unknown" }
}
Patterns can be constants, exclusive ranges, alternatives separated by |, or
the final wildcard _. Every match must include an unguarded final wildcard
arm, so Tenzir can prove at compile time that all possible values are covered.
This provides a concise alternative to long else if chains when routing events
by field value.
The write_feather operator now supports compression_type="uncompressed"
to disable compression entirely. Previously, only zstd and lz4 were
accepted:
to_file "events.feather" {
write_feather compression_type="uncompressed"
}
The to_splunk operator gains three new options for richer HEC metadata.
Use time= to set the per-event Splunk timestamp from an expression that
evaluates to a Tenzir time or a non-negative epoch in seconds:
from {message: "login succeeded", observed_at: 2026-04-24T08:30:00Z}
to_splunk "https://localhost:8088",
hec_token=secret("splunk-hec-token"),
time=observed_at
Use fields= to attach indexed HEC fields. The expression must evaluate to
a flat record whose values are strings or lists of strings:
to_splunk "https://localhost:8088",
hec_token=secret("splunk-hec-token"),
event={message: message},
fields={user: user, tags: tags}
Use raw= to send already-formatted text to the HEC raw endpoint
(/services/collector/raw). The raw expression must evaluate to a
string. Multiple events in one request are separated by newlines, and
request-level metadata such as host, source, sourcetype, index, and
time is sent as query parameters:
to_splunk "https://localhost:8088",
hec_token=secret("splunk-hec-token"),
raw=line,
source=source,
sourcetype="linux_secure"
raw and event are mutually exclusive; fields is not supported with
raw.
The dns_lookup operator now caches DNS results and reuses them across
lookups. Forward-lookup results gain a ttl field that shows the remaining
lifetime of the cached answer:
from {host: "example.com"}
dns_lookup host
If Tenzir cannot initialize DNS resolution at all, the operator now emits an
error and stops instead of writing null results for every event.
Individual failed or timed-out lookups still produce null, as before.
Apr 30, 2026 · @jachris · #5821
The parallel operator gains two enhancements:
The jobs argument is now optional and defaults to the number of available
CPU cores:
subscribe "events"
parallel {
parsed = data.parse_json()
}
The new route_by argument routes events to workers deterministically by
key. Events with the same route_by value always go to the same worker,
which is required for stateful subpipelines like deduplicate or
summarize:
subscribe "events"
parallel route_by=src_ip {
deduplicate src_ip, dst_ip, dst_port
}
Additionally, parallel may now be used as a source operator (without
upstream input). This spawns multiple independent instances of the
subpipeline, which is useful for running the same source pipeline with
concurrent connections.
Apr 30, 2026 · @raxyte · #6036
The from_file operator now accepts an mmap=bool option that uses
memory-mapped I/O for reading local files instead of regular reads. This can
improve performance for large files:
from_file "/var/log/large.json", mmap=true {
read_json
}
Defaults to false.
The new read_tql operator parses an incoming byte stream of TQL-formatted
records into events. Each top-level record expression becomes one event:
load_file "events.tql"
read_tql
The input format matches the output of write_tql, so read_tql is useful
for round-tripping data through TQL notation, reading TQL-formatted files,
or processing data piped from other Tenzir pipelines.
Apr 30, 2026 · @raxyte · #6053
Four new high-level writer operators serialize events to local filesystems and cloud object stores with rotation, hive-style partitioning, and per-partition unique filenames:
to_file writes to a local filesystem.to_s3 writes to Amazon S3.to_azure_blob_storage writes to Azure Blob Storage.to_google_cloud_storage writes to Google Cloud Storage.Each takes a printing subpipeline, a URL with optional ** and {uuid}
placeholders, and rotation parameters. The ** placeholder expands into a
hive partitioning hierarchy based on partition_by, and {uuid} ensures
each partition gets unique destination names:
subscribe "events"
to_s3 "s3://my-bucket/year=**/month=**/{uuid}.json",
partition_by=[year, month] {
write_ndjson
}
Files rotate automatically when the configured max_size or timeout is
reached, so long-running pipelines do not produce single huge objects.
Apr 30, 2026 · @aljazerzen · #6019
The new to_http operator sends each input event as an HTTP request to a
webhook or API endpoint. By default, it JSON-encodes the entire event as the
request body and sends it as a POST:
subscribe "alerts"
to_http "https://example.com/webhook"
to_http shares its options with from_http and http: configure
method, body, encode, headers, TLS, retries, and pagination per
request. Use parallel to issue multiple concurrent requests when the target
endpoint can keep up with a single pipeline.
This is useful for pushing alerts to webhooks, forwarding events to SIEMs, and calling external APIs once per event.
Apr 30, 2026 · @aljazerzen · #6070
The new serve_http operator starts an HTTP server and broadcasts the bytes
produced by a nested pipeline to all connected clients:
from_file "example.yaml"
serve_http "0.0.0.0:8080" {
write_ndjson
}
Clients connect with a GET request and receive a continuous HTTP response
body. Pick the wire format with the nested pipeline: write_ndjson for
NDJSON streams, write_lines for plain text, and so on. The operator does
not buffer output for clients that connect later—each client receives the
bytes produced after it connects. TLS, connection limits, and graceful
disconnect are all configurable.
The new from_nic operator captures packets from a network interface and
emits them as events directly:
from_nic "eth0"
Without an explicit subpipeline, from_nic parses the captured PCAP byte
stream with read_pcap. Provide a subpipeline when you want to change how
the byte stream is parsed. Use the filter option to apply a Berkeley Packet
Filter (BPF) expression so libpcap drops unwanted traffic before parsing:
from_nic "eth0", filter="tcp port 443"
The companion read_pcap and write_pcap operators have been refreshed:
read_pcap now also emits a pcap.file_header event when
emit_file_headers=true, which write_pcap consumes to preserve the
original timestamp precision and byte order. The pcap.packet schema's
time.timestamp field is now a top-level timestamp field, and data is
now a blob.
Apr 30, 2026 · @mavam · #5744, #6017
Tenzir now has dedicated TCP source and sink operators that match the same client/server split as the HTTP operators:
from_tcp connects to a remote TCP or TLS endpoint as a client.accept_tcp listens on a local endpoint and spawns a subpipeline per
accepted connection. Inside the subpipeline, $peer.ip and $peer.port
identify the connecting client; with resolve_hostnames=true,
$peer.hostname is also available from reverse DNS.to_tcp connects to a remote endpoint and writes serialized bytes.serve_tcp listens for incoming connections and broadcasts pipeline output
to all connected clients.Each operator takes a parsing or printing subpipeline so connection management, framing, and serialization stay separate concerns:
accept_tcp "0.0.0.0:8090" {
read_json
}
to_tcp "collector.example.com:5044" {
write_json
}
from_tcp and to_tcp reconnect with exponential backoff on connection
failure. All four operators support TLS via the tls option.
The legacy load_tcp and save_tcp operators are now deprecated. The
tcp:// and tcps:// URL schemes still dispatch to them via from and
to.
Apr 30, 2026 · @raxyte · #5731
The new from_stdin operator reads bytes from standard input through a
parsing subpipeline:
from_stdin {
read_json
}
This is useful when piping data into the tenzir executable as part of a
shell script or command chain.
Apr 30, 2026 · @IyeOnline
The new anonymize operator generates synthetic events that share the schemas
of its input. The operator first samples a configurable number of input events
to learn what schemas are present and to summarize their values, and then
replaces the input with generated events that match those schemas:
subscribe "events"
anonymize count=1000
By default, generated values follow the aggregate statistics of the sampled
input: null rates, list lengths, numeric ranges, time and duration ranges,
boolean and enum frequencies, string and blob lengths and byte frequencies, IP
address family frequencies, and subnet prefix length frequencies. Use
fully_random=true to ignore those statistics and instead pick values
uniformly from each type's full range. The optional seed argument makes
output reproducible.
Use anonymize to share representative event traces without leaking the
underlying values.
Apr 30, 2026 · @jachris · #5980
The new group operator routes events with the same key through a shared
subpipeline. Inside the subpipeline, $group refers to the key for that
subpipeline:
group tenant {
summarize count()
}
The subpipeline either emits events—which are forwarded as the operator's
output—or ends with a sink, in which case group itself becomes a sink. Use
group when you need keyed routing through a stateful subpipeline, such as a
per-tenant sink or a per-session transformation. For grouped aggregations,
keep using summarize.
Apr 30, 2026 · @jachris · #5981
The new each operator runs a fresh subpipeline for every input event. The
event is bound to $this inside the subpipeline so it can parametrize the
nested logic on a per-event basis:
from [
{file: "a.json"},
{file: "b.json"},
]
each {
from $this.file
}
The subpipeline takes no input from each. It either emits events—which are
forwarded as the operator's output—and may also end with a sink, in which case
each itself becomes a sink.
Use each for per-event jobs such as a lookup, an export, or a sink whose
source depends on the incoming event. For keyed streams that should keep one
subpipeline alive per key, use group instead.
Apr 24, 2026 · @mavam, @codex · #6080
The from_http operator now supports paginate="odata" for
OData collection
responses such as Microsoft Graph:
from_http "https://graph.microsoft.com/v1.0/users",
headers={"ConsistencyLevel": "eventual"},
paginate="odata" {
read_json
}
This mode emits the objects from the response body's top-level value array
and follows top-level @odata.nextLink URLs until no next link is present. The
next link can be absolute or relative to the current response URL.
Apr 17, 2026 · @mavam, @codex · #6047
Tenzir can now consume from and publish to NATS JetStream subjects with
from_nats and to_nats.
Use from_nats to receive one event per message. The raw payload appears in the
message blob field, and metadata_field attaches NATS metadata:
from_nats "alerts", metadata_field=nats
parsed = string(message).parse_json()
Use to_nats to publish one message per event. By default, the operator
serializes the whole event with this.print_ndjson():
from {severity: "high", alert_type: "suspicious-login"}
to_nats "alerts"
Both operators support configurable connection settings, authentication, and
the standard Tenzir tls record.
Feb 6, 2026 · @mavam, @claude · #5721, #5738
The from_mysql operator lets you read data directly from MySQL databases.
Read a table:
from_mysql table="users", host="localhost", port=3306, user="admin", password="secret", database="mydb"
List tables:
from_mysql show="tables", host="localhost", port=3306, user="admin", password="secret", database="mydb"
Show columns:
from_mysql table="users", show="columns", host="localhost", port=3306, user="admin", password="secret", database="mydb"
And ultimately execute a custom SQL query:
from_mysql sql="SELECT id, name FROM users WHERE active = 1",
host="localhost",
port=3306,
user="admin",
password="secret",
database="mydb"
The operator supports TLS/SSL connections for secure communication with MySQL
servers. Use tls=true for default TLS settings, or pass a record for
fine-grained control:
from_mysql table="users", host="db.example.com", database="prod", tls={
cacert: "/path/to/ca.pem",
certfile: "/path/to/client-cert.pem",
keyfile: "/path/to/client-key.pem",
}
The operator supports MySQL's caching_sha2_password authentication method and automatically maps MySQL data types to Tenzir types.
Use live=true to continuously stream new rows from a table. The operator
tracks progress using a watermark on an integer column, polling for rows above
the last-seen value:
from_mysql table="events", live=true, host="localhost", database="mydb"
By default, the tracking column is auto-detected from the table's auto-increment primary key. To specify one explicitly:
from_mysql table="events", live=true, tracking_column="event_id",
host="localhost", database="mydb"
The from_sqs and to_sqs operators now derive the AWS region from a queue
URL when aws_region is not set, so passing a full URL such as
https://sqs.us-west-2.amazonaws.com/123456789012/my-queue works without
having to specify the region again:
from_sqs "https://sqs.us-west-2.amazonaws.com/123456789012/my-queue"
Previously, this would fall back to the SDK default region and fail with a
SigV4 signature mismatch. Explicit aws_region, resolved IAM credentials, and
the SDK default still apply in that order when the URL has no region (for
example VPC endpoints, LocalStack, or an AWS_ENDPOINT_URL override).
SQS API errors and HTTP failures now also include the endpoint URL in their log lines and diagnostic notes, which makes it easier to tell which queue produced an error when multiple SQS pipelines run side by side.
The from_amazon_sqs and to_amazon_sqs operators now derive the AWS region
from a queue URL when aws_region is not set, so passing a full URL such as
https://sqs.us-west-2.amazonaws.com/123456789012/my-queue works without
having to specify the region again:
from_amazon_sqs "https://sqs.us-west-2.amazonaws.com/123456789012/my-queue"
Previously, this would fall back to the SDK default region and fail with a
SigV4 signature mismatch. Explicit aws_region, resolved IAM credentials, and
the SDK default still apply in that order when the URL has no region (for
example VPC endpoints, LocalStack, or an AWS_ENDPOINT_URL override).
SQS API errors and HTTP failures now also include the endpoint URL in their log lines and diagnostic notes, which makes it easier to tell which queue produced an error when multiple SQS pipelines run side by side.
The chart_bar and chart_pie operators now preserve the incoming row order
for categorical x-axis values such as strings, IP addresses, and subnets. This
allows users to control bar order with regular TQL operators such as sort
before charting.
Apr 30, 2026 · @aljazerzen · #5878, #5906
The batch operator now maintains separate buffers for each distinct
schema. Each buffer has independent timeout tracking and fills until reaching
the limit, at which point it flushes immediately. Previously, mixed-schema
streams could stall waiting for a single combined buffer to fill.
The timeout argument now defaults to 1min instead of an infinite
duration, so buffered events are flushed at least once per minute when no new
events arrive.
Apr 15, 2026 · @lava
We added a new operator to accept data from incoming HTTP connections.
The server option of the from_http operator is now deprecated.
Going forward, it should only be used for client-mode HTTP operations,
and the new accept_http operator should be used for server-mode
operations.
May 31, 2026 · @mavam, @codex · #6241
Invalid lambda-valued let bindings now produce a focused diagnostic instead of cascading into a generic evaluation warning and an internal error.
For example, let $f = (x => x + 1) now points at the lambda and suggests inlining it at the use site.
May 29, 2026 · @mavam, @codex · #6239
GeoIP enrichment now includes all fields from MaxMind records. Previously, records containing uint128 values could stop materializing subsequent fields, which could omit later enrichment data from affected databases.
May 20, 2026 · @raxyte · #6210
The compaction plugin no longer fails to start with
module <package> not found when a rule's pipeline references an
operator defined by an installed package. Previously, depending on the
order in which the node's components were initialized, the compactor's
eager rule-pipeline parse could run before the package manager had
published its operator modules to the global registry.
Time-based compaction rules no longer cause the node to reprocess data that has already been compacted in a previous run.
May 8, 2026 · @tobim, @codex · #6149
Packages can now include a top-level metadata field for data consumed by external tools. Unknown package keys still fail validation, and the error now points users to metadata for non-engine package data.
Apr 28, 2026 · @tobim, @codex · #6087
The read_feather operator can now read Arrow IPC file containers in addition to Arrow IPC streams:
from_file "partition.feather" {
read_feather
}
This fixes reading Tenzir archive partition files directly. If an IPC file contains a Tenzir event envelope, read_feather unwraps the event payload and preserves the import time; IPC files without Tenzir schema metadata use the schema name undefined.
Apr 24, 2026 · @mavam, @codex · #6081
The to_sentinelone_data_lake operator now works in pipelines that run on the new executor. Previously, using it there failed before the pipeline could send events.
from {message: "hello"}
to_sentinelone_data_lake "https://example.com", token="TOKEN"
Mar 31, 2026 · @jachris, @mavam, @codex · #5963
The drop_null_fields operator is now much faster on heterogeneous input with many changing null patterns.
Jun 3, 2026 · @gitryder
Results with a single column now stretch to fill the full width of the table instead of hugging the left edge. Long values use the available space and truncate at the table's edge rather than at a fixed cutoff.
May 18, 2026 · @gitryder
You can now right-click a field name or value in the Explorer table to filter, sort, aggregate, or reshape your results. Actions like Equals, Not equals, Greater than, Contains, Starts with, Top values, Rare values, and Count values are appended to the editor as TQL, so common queries can be built by clicking instead of typing.
Timestamps get extra options for filtering around the clicked value, with windows of 5 minutes, 1 hour, and 1 day before, after, or on either side.
May 7, 2026 · @gitryder
You can now sort events by time in the Stream view. The control cycles between newest first, oldest first, and off, and is disabled when no timestamp field is detected in the data. Your sorting preference is remembered between sessions.
May 21, 2026 · @lava
When a X-Tenzir-UserKey has expired, the platform now returns a dedicated 403 response with the detail User key expired, instead of the generic 403 Invalid API Key: X-Tenzir-UserKey expired error. This lets clients reliably detect the expired-key case and trigger a re-authentication flow.
May 26, 2026 · @jachris · #177
The Insights tab now always shows data for the release candidates of Tenzir Node
v6, even if no // neo comment is present.
May 21, 2026 · @avaq
We fixed an issue where actions on the account, organization, and invitation pages would fail if the page had been open for more than 15 minutes. The following operations now automatically refresh the user key when needed: changing account details, updating passwords, deleting accounts, creating and updating organizations, managing organization invitations, and deleting organizations.
May 21, 2026 · @gitryder
Negative multi-part durations no longer drift when copied or embedded into a TQL query. Previously a duration like -(19min + 12.636s) was rendered as -19min + 12.636s, which the parser read as -1127.364s instead of the original -1152.636s — off by twice the seconds component. The sign now distributes across every term (-19min - 12.636s) so the value round-trips cleanly.
Duration rendering also picks up a clearer split between display and query forms. The table cells, chart tooltips, and chart axis labels show durations in a human-readable form like 1h 30min 5.000s. The inspector and any context that needs to round-trip the value back into a query show the TQL-valid arithmetic form like 1h + 30min + 5.000000000s.
May 19, 2026 · @gitryder
We fixed an issue where the Insights tab became unresponsive and flickered on pipelines with many operators. The table now renders smoothly and stays interactive while showing live metrics.
]]>May 31, 2026 · @mavam, @codex · #2
The TQL grammar now parses the documented match statement pattern syntax, including alternatives, guards, ranges, and wildcard arms:
match status {
499..600 | 429 if retries > 0 => {
action = "retry"
}
_ => {}
}
This improves editor parsing and highlighting for pipelines that use the new match control-flow statement.
Developers can run the same fast local quality gate used by CI with npm run check:
npm run check
Use npm run fix to refresh generated parser and editor-query artifacts before committing.
May 27, 2026 · @tobim, @codex · #49
Inline Python dependencies declared by tests or fixtures no longer force a
runtime uv pip install when a bare dependency name is already available in
the active Python environment.
Pass --disable-inline-dependency-install, or set
TENZIR_TEST_DISABLE_INLINE_DEPENDENCY_INSTALL=1, to skip inline dependency
installation entirely when another tool provisions the test environment. The
harness still reads dependency metadata, but it leaves package installation to
the caller.
May 14, 2026 · @gitryder
We fixed an issue where clicking on a line, area, or bar chart could unintentionally zoom the chart to a narrow window, hiding the axis labels and most of the data. Charts no longer respond to clicks this way.
May 14, 2026 · @gitryder
We fixed an issue where chart tooltips were cut off in dashboard cells and the Explorer chart view when the tooltip did not fit inside the chart area. Tooltips now stay fully visible, even on small cells or near the screen edge.
]]>May 13, 2026 · @mavam, @codex · #26
Validate changelog entry metadata and release manifests with JSON Schema so malformed fields such as non-numeric pull request references are reported instead of silently passing validation.
]]>May 13, 2026 · @lava
We reduced the default lifetime of user keys from one week to 15 minutes. Sessions transparently refresh, so this is invisible in normal use, but shortens the window in which a leaked key could be reused.
]]>May 13, 2026 · @mavam, @codex · #47
Project fixtures can now declare Python package dependencies inline with PEP 723 metadata:
# /// script
# dependencies = ["boto3"]
# ///
tenzir-test installs these dependencies with uv before importing fixture
modules, so fixtures used during regular test runs and tenzir-test --fixture
can manage their own Python package requirements.
Select tests by requested fixture name with the new --fixture-name option:
tenzir-test --fixture-name node
tenzir-test tests/alerts --match kafka --fixture-name docker-compose
--fixture-name can be repeated and combines with --fixture-tag using OR
semantics before intersecting with positional test paths and --match.
Fixture selectors are long-only; the previous -F alias for --fixture-tag
has been removed before the CLI shape settles.
May 12, 2026 · @mavam, @codex · #44
tenzir-test now requires Python 3.13 or newer.
Users on Python 3.12 need to upgrade their interpreter before installing or running the CLI:
uvx --python 3.13 tenzir-test --help
The Tenzir skill collection is now published as its initial stable release for v1.0.0.
This release establishes the shared skill set as the stable baseline for coding agents working in and around the Tenzir ecosystem.
]]>May 11, 2026 · @mavam, @codex · #42
Select tests by fixture tag with the new --fixture-tag option:
tenzir-test --fixture-tag container
tenzir-test --fixture-tag docker-compose
Fixture tags are cumulative and can be repeated. The selector intersects with positional test paths and --match patterns, so you can narrow a directory to container-backed tests or run only tests that request the built-in Docker Compose fixture.
Fixtures that use the shared container runtime helpers inherit the container tag automatically. Custom fixtures can pass explicit tags at registration time when they use their own abstraction.
May 9, 2026 · @mavam, @codex · #41
The test harness can detect the installed Tenzir version across current and upcoming Tenzir releases. This keeps startup/version checks working during the transition to the next Tenzir release series.
]]>flow_id that mix signed and unsigned values no longer cause unnecessary table-slice splits. It also extends ocsf::derive to handle list-valued enum fields for full bidirectional OCSF enum normalization.
Apr 30, 2026 · @jachris, @mavam, @codex · #5354
ocsf::derive now derives OCSF enum sibling fields for lists, not just scalar enum fields. For example, DNS answers with flag_ids: [1, 3, 4] now also get flags: ["Authoritative Answer", "Recursion Desired", "Recursion Available"], and the reverse direction works for flags to flag_ids as well.
May 5, 2026 · @IyeOnline, @claude · #6125
Parsing data that mixes int64 and uint64 values in the same field no longer
produces unnecessary table-slice splits, improving batching performance. Fields
like flow_id that are always non-negative but occasionally exceed the signed
integer limit of 2^63 − 1 are now merged into a single uint64 column where
possible, instead of being emitted as separate slices.
May 6, 2026 · @mavam, @codex · #6128
Empty if branches no longer crash when running pipelines with the new executor. For example, if false {} now behaves like an empty pass-through branch instead of triggering an internal assertion failure.
May 6, 2026 · @gitryder
The Stream view now includes a timeline that shows event volume over time, segmented by schema. It automatically detects timestamp fields and adapts its bucket size to the data’s time range, providing an at-a-glance view of when events occur and which schemas are most active.
It also probes your data for time fields and shows availability inline, omitting events without a recognized time field (ts, timestamp, or time).
May 5, 2026 · @gitryder
You can now navigate between entries in the Explorer table using arrow keys. Press Space to toggle the inspector, then use Arrow Up and Arrow Down to move between rows and seamlessly across pages.
May 7, 2026 · @gitryder
The Insights tab in the pipeline detail view is no longer experimental and now appears for every pipeline. It shows you live per-operator CPU usage, events per second, batch ratios, and queue backpressure for the selected pipeline. You can see at a glance which operators are working hardest and where data is piling up, so finding hotspots and tuning pipeline performance becomes easier. Update your node to v6 to see the data.
Apr 21, 2026 · @gitryder
We moved field selection in the Explorer's table view into a dedicated popover. The 'Fields' button sits in the toolbar and shows how many fields are currently hidden. Opening it reveals the full field list with the same click-to-toggle and shift+click-to-focus behavior as before.
]]>May 4, 2026 · @mavam, @codex · #6113
Configured startup pipelines can now reference operators from static packages reliably. Previously, such pipelines could fail during node startup with module <package> not found, even though the same package operator worked when run manually after startup.
May 2, 2026 · @mavam, @codex · #6108
Package UDOs now load correctly when a typed string default looks like a TQL pattern, such as default: "/tmp-data/".
Previously, loading such a package could abort with an unexpected internal error before any pipeline ran.
]]>May 5, 2026 · @mavam, @codex · #40
Hook diagnostics emitted with --debug now use the same formatting as the rest of the harness debug trace. Previously, hook invocation messages used ad-hoc debug: lines, which made debug output inconsistent.
May 4, 2026 · @mavam, @codex · #23
The validate command now reports unknown changelog entry metadata keys instead of silently accepting them. This catches misspelled fields such as co-authors early, before they are ignored by release workflows.
Apr 29, 2026 · @mavam, @codex · #6098
ClickHouse connection errors caused by TLS/plaintext mismatches now include the TLS notes and hint again. This helps identify when to_clickhouse is using TLS against a plaintext ClickHouse endpoint and suggests setting tls=false when appropriate.
Apr 28, 2026 · @tobim, @codex · #6086
Default retention policies now continue deleting metrics and diagnostics as their timestamps age into the retention window, even when older and newer events share a partition.
Previously, a partition that still contained newer events after retention could be skipped by later retention runs, leaving those events behind after they expired.
]]>Apr 27, 2026 · @tobim, @codex · #6082
Static musl builds of tenzir no longer crash on deeply nested generated TQL
expressions.
This affected generated pipelines with deeply nested expressions, for example rules or transformations that expand into long left-associated operator chains.
The tenzir binary now links with a larger default thread stack size on musl,
which brings its behavior in line with non-static builds for these pipelines.
Apr 29, 2026 · @mavam, @codex · #39
Suite-level requires.operators checks now apply consistently to every test runner. Mixed suites that combine TQL, shell, Python, or custom tests no longer depend on the first runner type to decide whether required Tenzir operators are available.
Apr 29, 2026 · @mavam, @codex · #38
Suite-scoped fixture setup and teardown failures now appear as regular test failures instead of aborting the entire run with a Python traceback.
This lets the harness continue with independent queued tests after a fixture assertion or cleanup error.
]]>Apr 27, 2026 · @mavam, @codex · #36
Projects can now register Python hooks that run at stable tenzir-test lifecycle points, including before settings discovery:
from tenzir_test import hooks
@hooks.startup
def use_local_build(ctx):
ctx.path.insert(0, str(ctx.root / "build" / "bin"))
ctx.env["TENZIR_BINARY"] = str(ctx.root / "build" / "bin" / "tenzir")
ctx.env["TENZIR_NODE_BINARY"] = str(ctx.root / "build" / "bin" / "tenzir-node")
This makes it possible to select local Tenzir binaries, prepare project-scoped environment variables, and collect diagnostics for failed tests without wrapping the test command in custom shell scripts. Use --no-hooks or TENZIR_TEST_DISABLE_HOOKS=1 to bypass hooks when debugging.
The subnet function now accepts typed IP addresses, plain IP strings, and
existing subnet values with an optional prefix length:
from {source_ip: 10.10.1.124}
net = subnet(source_ip, 24)
This returns 10.10.1.0/24 without converting the IP address to a string first.
When you omit the prefix, IPv4 addresses become /32 host subnets and IPv6
addresses become /128 host subnets.
The unroll operator no longer crashes when expanding very large lists into output that exceeds Arrow's per-array capacity.
The files operator now skips unreadable child directories during recursive traversal, emits a warning for each skipped directory by default, and continues listing accessible siblings. Set skip_permission_denied=true to ignore permission-denied paths silently: this suppresses warnings for skipped child directories and still makes an unreadable initial directory produce no events instead of an error. Non-permission filesystem errors continue to fail the pipeline.
Apr 23, 2026 · @IyeOnline
We fixed an issue in the context::enrich operator that did cause unbounded
memory growth.
Apr 23, 2026 · @tobim, @codex · #6068
Tenzir no longer segfaults on some very deep left-associated boolean
expressions in where clauses due to source-location handling.
Both list and record indexing in TQL now work with signed and unsigned integer indices.
This also applies to record field-position indexing and to the get function for records and lists.
Apr 22, 2026 · @mavam, @codex · #35
The test harness now honors skip: {on: fixture-unavailable} for fixtures that are selected by individual tests:
skip:
on: fixture-unavailable
fixtures:
- optional-service
This lets parameterized per-test fixtures skip only the tests that need the unavailable service. Suite fixtures still require the opt-in in directory-level test.yaml, so one test's frontmatter cannot control the whole suite.
Apr 20, 2026 · @tobim, @codex · #6059
Partition rebuilds now finish after persisting rebuilt partitions. Previously, rebuild jobs could remain stuck indefinitely even though the replacement partitions were written successfully.
The summarize operator now starts frequency-based emission with the first
input event and emits overdue periodic results before later events are
aggregated. This makes periodic output deterministic in reset,
cumulative, and update modes for delayed or sparse streams.
For example:
from {ts: 0ms.from_epoch(), x: 1},
{ts: 90ms.from_epoch(), x: 1},
{ts: 360ms.from_epoch(), x: 1}
delay ts
summarize count=count(), options={frequency: 300ms, mode: "cumulative"}
The first periodic result now consistently reports a count of 2 before the
third event arrives.
Apr 21, 2026 · @lava, @gitryder
Workspace management has been enhanced with new capabilities for administrators. You can now rename workspaces directly from the workspace settings, and the Users tab now provides a unified interface for managing workspace access. Administrators can view all users with access to a workspace in a single table and easily change user roles between member and admin roles using dropdown controls.
Apr 21, 2026 · @lava, @gitryder
The Tenzir Platform now supports organizations, giving teams a shared home for collaborating across workspaces. Organization admins can invite members, assign admin or member roles, and manage which workspaces belong to the organization. Members get access to all workspaces owned by the organization and can leave from their user settings at any time.
Learn more in the organization management guide.
]]>Apr 16, 2026 · @tobim, @codex · #6039
Tenzir nodes now honor standard HTTP proxy environment variables when connecting to Tenzir Platform:
HTTPS_PROXY=http://proxy.example:3128 tenzir-node
Use NO_PROXY to bypass the proxy for selected hosts. This helps deployments where outbound connections to the Platform websocket gateway must go through an HTTP proxy.
Apr 16, 2026 · @mavam, @codex · #6022
The hash_* functions now hash blob values by their raw bytes. This makes checksums computed from binary data match external tools such as md5sum and sha256sum.
For example:
from_file "trace.pcap" {
read_all binary=true
}
md5 = data.hash_md5()
This is useful for verifying file contents and round-tripping binary formats without leaving TQL.
]]>100% passed and 0% failed.
The final aggregate summary now reports non-perfect pass and fail percentages whenever at least one executed test fails. Previously, rounding could show 100% passed and 0% failed for runs with a small number of failures, even though the overall result was not a full success.
For example, a run like 586 passed / 1 failed / 152 skipped now renders the executed-test percentages as 99% passed and 1% failed. This makes mixed outcomes easier to spot at a glance in the CLI output.
The reusable release workflow no longer emits the Node 20 deprecation warning when it generates GitHub App tokens on GitHub-hosted runners.
Repositories that call tenzir/ship/.github/workflows/release.yaml now get clean release logs without extra configuration.
v-prefixed tags. It keeps release publishing, local development, and CI installs on maintained versions without changing normal tenzir-ship usage.
The repository's locked Python dependencies now use patched upstream releases, including fixes for the open security advisories reported by Dependabot.
This refresh keeps local development and CI installs on maintained versions without changing normal tenzir-ship usage.
The release publish --commit workflow now uses the tag-form version in generated release commits and annotated tag messages.
For example, publishing v1.1.0 now creates Release v1.1.0 instead of Release 1.1.0:
tenzir-ship release publish v1.1.0 --commit --tag --yes
This keeps generated release commits aligned with the corresponding Git tag and avoids mismatches in automation that expects the v-prefixed release identifier.
context::lookup operator, and it adds pipeline names to diagnostics and metrics for easier operational correlation. This release also improves export reliability under load and fixes Azure transport errors, HTTP Host headers for non-standard ports, and rebuilt-partition export correctness.
Apr 1, 2026 · @IyeOnline · #5964
The context::lookup operator enables unified matching of events against contexts
by combining live and retrospective filtering in a single operation.
The operator automatically translates context updates into historical queries while simultaneously filtering all newly ingested data against any context updates.
This provides:
live=trueretro=trueExample usage:
context::lookup "feodo", field=src_ip
where @name == "suricata.flow"
Mar 30, 2026 · @IyeOnline, @claude · #5959
The metrics and diagnostics operators now include a pipeline_name field.
Previously, output from these operators only identified the source pipeline by its ID. Now the human-readable name is available too, making it straightforward to filter or group results by pipeline name without needing to look up IDs separately.
Please keep in mind that pipeline names are not unique.
Apr 8, 2026 · @claude
Bumped Apache Arrow from 23.0.0 to 23.0.1, which includes an upstream fix
for unhandled Azure::Core::Http::TransportException in Arrow's
AzureFileSystem methods. Previously, transport-level errors (e.g., SSL
certificate failures) could crash the node during file listing, reading, or
writing. Additionally, the direct Azure SDK calls in the blob deletion code
paths now catch Azure::Core::RequestFailedException (the common base of
both StorageException and TransportException) instead of listing
specific exception types.
Apr 7, 2026 · @tobim, @codex · #5988
The export operator no longer emits partially populated events from rebuilt partitions when a row is null at the record level. Previously, some events could appear with most fields set to null while a few values, such as event_type or interface fields, were still present.
This makes exports from rebuilt data more reliable when investigating sparse or malformed-looking events.
Mar 31, 2026
The from_http and http operators now include the port in the Host header
when the URL uses a non-standard port. Previously, the port was omitted, which
caused requests to fail with HTTP 403 when the server validates the Host
header against the full authority, such as for pre-signed URL signature
verification.
The export command no longer fails or misses recent events when a node is flushing active partitions to disk under heavy load. Recent exports now keep the in-memory partitions they depend on alive until the snapshot completes, which preserves correctness for concurrent import and export workloads.
Apr 7, 2026 · @gitryder
We added thousands separators to numeric values in the pipeline Insights tab, making large numbers easier to read at a glance.
Apr 7, 2026 · @gitryder
We fixed an issue where the pipeline table stayed filtered after viewing a pipeline's detail page and navigating away to another tab. Returning to the Pipelines page would show only the previously viewed pipeline, and clearing the search had no effect.
]]>The reusable GitHub Actions release workflow now works in external repositories by default. It falls back to the caller repository's GITHUB_TOKEN, makes GitHub App authentication optional, and only enables GPG signing when a caller provides a signing key and opts into commit and/or tag signing. The single release.yaml workflow now also exposes the advanced hooks and release controls directly, including skip-publish for dry runs and smoke tests. Tenzir repositories can still opt into the existing bot identity, GitHub App token flow, and signed commits and tags by passing those settings explicitly.
Mar 27, 2026 · @gitryder
You can now choose which fields are visible in the Explorer's table view. When you select a schema in the sidebar, its fields are listed below. Click a field to hide its column from the table. Shift+click a field to show only that field. A "fields hidden" indicator in the table header lets you clear all hidden fields at once. Field selections are remembered per schema and reset when you run a new pipeline.
Mar 26, 2026 · @gitryder
You can now filter events in the Stream view by clicking schemas in the sidebar. The schemas panel shows color-coded dots matching each schema's badge color, and selecting one or more schemas limits the view to only those events. Same-name schema variants are merged into a single entry in the sidebar for easier navigation.
Mar 26, 2026 · @gitryder
We added a new Stream view to the Explorer that shows all pipeline results as a continuous list of expandable events. You can switch between the Table, Chart, and Stream views using the view selector in the toolbar. The Stream view displays events from all schemas together, with color-coded badges to distinguish between them. Each row shows a one-line preview that you can expand to inspect the full event. The view remembers your selection across pipeline runs, and the event list scrolls horizontally as a whole, with schema badges staying pinned on the left.
Mar 13, 2026 · @gitryder
You can now sort the Explorer table by clicking column headers. Sortable columns show a sort indicator, and clicking cycles through ascending, descending, and unsorted states. Sorting works for both top-level and nested fields.
Mar 12, 2026 · @gitryder
You can now click on field names and values in the Explorer inspector to copy them to the clipboard. Field names copy the full dot-separated path, and values copy their TQL representation.
Mar 12, 2026 · @gitryder
You can now select a time range directly from the Explorer header. Choose from quick presets like 5 minutes or 12 hours, or open the custom popover to pick from a grid of relative durations or set an absolute date range. The selector is currently available for pipelines that start with the export operator.
Mar 12, 2026 · @gitryder
We combined the 'About' and 'Install' tabs in the package detail drawer into a single scrollable view. Package information, examples, and configuration options are now shown on one page instead of requiring tab switches.
Apr 1, 2026 · @gitryder
We fixed an issue where a node could be renamed to an empty string, causing the app to malfunction. Node names are now properly validated, so empty or whitespace-only names are no longer allowed.
Apr 1, 2026 · @gitryder
We fixed an issue where the connection token shown in the "Connect node" dialog did not update when switching between different disconnected nodes. The token now correctly refreshes for the selected node.
Mar 24, 2026 · @gitryder
We fixed an issue where custom packages installed on a node were not visible in the library view. Previously, only packages from the official Tenzir library were shown. Custom packages are now included alongside library packages.
Mar 24, 2026 · @gitryder
We fixed a bug where operator description text on the package detail page appeared rotated 90 degrees, overlapping other content.
Mar 17, 2026 · @gitryder
Packages containing user-defined operators can again be installed through the platform. Previously, installing such packages failed because the operator arguments were serialized incorrectly. This only affected installs through the platform UI—command-line package installs were not impacted.
]]>Feb 4, 2026 · @tobim, @codex · #5703
AWS operators now support OIDC-based authentication via the AssumeRoleWithWebIdentity API.
You can authenticate with AWS resources using OpenID Connect tokens from external identity providers like Azure, Google Cloud, or custom endpoints. This enables secure cross-cloud authentication without sharing long-lived AWS credentials.
Configure web identity authentication in any AWS operator by specifying a token source and target role:
from_s3 "s3://bucket/path", aws_iam={
region: "us-east-1",
assume_role: "arn:aws:iam::123456789012:role/cross-cloud-role",
web_identity: {
token_file: "/path/to/oidc/token"
}
}
The web_identity option accepts three token sources: token_file (path to a token file), token_endpoint (HTTP endpoint that returns a token), or token (direct token value). For HTTP endpoints, you can extract tokens from JSON responses using path.
Credentials automatically refresh before expiration, with exponential backoff retry logic for transient failures. This is especially useful for long-running pipelines that need persistent authentication.
Mar 30, 2026 · @jachris · #5954
Pipelines that use and, or, or if-else expressions run significantly faster in certain cases — up to 30× in our benchmarks. The improvement is most noticeable in pipelines with complex filtering or branching logic. No pipeline changes are needed to benefit.
Mar 23, 2026 · @mavam, @codex · #5939
The ocsf::derive operator now supports OCSF 1.8.0 events.
For example, you can now derive enum and sibling fields for events that declare
metadata.version: "1.8.0":
from {metadata: {version: "1.8.0"}, class_uid: 1007}
ocsf::derive
This keeps OCSF normalization pipelines working when producers emit 1.8.0
events.
Platform configuration validation now provides clearer error messages when an invalid configuration is encountered, helping you quickly diagnose and fix configuration issues.
Setting TENZIR_ENDPOINT to an unresolvable hostname no longer crashes the pipeline with a segfault.
Mar 25, 2026 · @mavam, @claude · #5949
ocsf::derive no longer emits a false warning when an _id field is set
to 99 (Other) and the sibling string contains a source-specific value.
Per the OCSF specification, 99/Other is an explicit escape hatch: the
integer signals that the value is not in the schema's enumeration and the
companion string must hold the raw value from the data source. For
example, the following is now accepted silently:
from {
metadata: { version: "1.7.0" },
type_uid: 300201,
class_uid: 3002,
auth_protocol_id: 99,
auth_protocol: "Negotiate",
}
ocsf::derive
Previously this produced a spurious warning: found invalid value for 'auth_protocol' because "Negotiate" is not a named enum caption.
Mar 24, 2026 · @lava
The Azure Blob Storage connector now handles Azure::Core::Http::TransportException
(e.g., SSL certificate errors) gracefully instead of crashing. Previously, a
self-signed certificate in the certificate chain would cause an unhandled
exception and terminate the node.