Download the release on GitHub.
Features
Section titled “Features”Add timeout options to summarize
Section titled “Add timeout options to summarize”The summarize operator gained two new options: timeout and update-timeout,
which enable streaming aggregations. They specifiy the maximum time a bucket in
the operator may exist, tracked from the arrival of the first and last event in
the bucket, respectively. The timeout is useful to guarantee that events are
held back no more than the specified duration, and the update-timeout is
useful to finish aggregations earlier in cases where events that would be sorted
into the same buckets arrive within the specified duration, allowing results to
be seen earlier.
By @dominiklohmann in #4209.
Add statistical aggregation functions
Section titled “Add statistical aggregation functions”The new mean aggregation function computes the mean of grouped numeric values.
The new approximate_median aggregation function computes an approximate median
of grouped numeric values using the t-digest algorithm.
The new stddev and variance aggregation functions compute the standard
deviation and variance of grouped numeric values, respectively.
The new collect aggregation function collects a list of all non-null grouped
values. Unlike distinct, this function does not remove dulicates and the
results may appear in any order.
By @dominiklohmann in #4208.
Implement strides for the slice operator
Section titled “Implement strides for the slice operator”The slice operator now supports strides in the form of slice <begin>:<end>:<stride>. Negative strides reverse the event order. The new
reverse operator is a short form of slice ::-1 and reverses the event order.
By @dominiklohmann in #4216.
Changes
Section titled “Changes”Change the syntax of the slice operator
Section titled “Change the syntax of the slice operator”The slice operator now expects its arguments in the form <begin>:<end>,
where either the begin or the end value may be omitted. For example, slice 10:
returns all but the first 10 events, slice 10:20 returns events 10 to 20
(exclusive), and slice :-10 returns all but the last 10 events.
By @dominiklohmann in #4211.
Bug Fixes
Section titled “Bug Fixes”Remove the superfluous path separators when using S3 or GS connectors
Section titled “Remove the superfluous path separators when using S3 or GS connectors”Paths for s3 and gs connectors are not broken anymore during
loading/saving.
Make syslog parser more lenient
Section titled “Make syslog parser more lenient”The syslog parser incorrectly identified a message without hostname and tag as
one with hostname and no tag. This resulted in a hostname with a trailing colon,
e.g., zscaler-nss:. In such messages, the parser now correctly sets the
hostname to null and assigns zscaler-nss as tag/app, without the trailing
colon.