Tenzir Node Unreleased

🚀 Features

Per-pipeline memory consumption metrics

Jan 5, 2026 · @jachris · #5644

The new tenzir.metrics.operator_buffers metrics track the total bytes and events buffered across all operators of a pipeline. The metrics are emitted every second and include:

timestamp: The point in time when the data was recorded
pipeline_id: The pipeline’s unique identifier
bytes: Total bytes currently buffered
events: Total events currently buffered (for events only)

Use metrics "operator_buffers" to access these metrics.

XML parsing functions for TQL

Dec 30, 2025 · @mavam, @claude · #5640, #5645

The new parse_xml and parse_winlog functions parse XML strings into structured records, enabling analysis of XML-formatted logs and data sources.

The parse_xml function offers flexible XML parsing with XPath-based element selection, configurable attribute handling, namespace management, and depth limiting. It supports multiple match results as lists and handles both simple and complex XML structures.

The parse_winlog function specializes in parsing Windows Event Log XML format, automatically finding Event elements and transforming EventData/UserData sections into properly structured fields.

Both functions integrate with Tenzir’s multi-series builder for schema inference and type handling.

Easy parallel pipeline execution

Dec 23, 2025 · @raxyte · #5632

The parallel operator executes a pipeline across multiple parallel pipeline instances to improve throughput for computationally expensive operations. It automatically distributes input events across the pipeline instances and merges their outputs back into a single stream.

Use the jobs parameter to specify how many pipeline instances to spawn. For example, to parse JSON in parallel across 4 pipeline instances:

from_file "input.ndjson"
read_lines
parallel 4 {
  this = line.parse_json()
}

🔧 Changes

Duplicate diagnostics only suppressed for 4 hours

Jan 12, 2026 · @raxyte, @claude · #5652

Repeated warnings and errors now resurface every 4 hours instead of being suppressed forever. Previously, once a diagnostic was shown, it would never appear again even if the underlying issue persisted. This change helps users notice recurring problems that may require attention.

Event-based rate limiting for throttle operator

Jan 9, 2026 · @raxyte · #5642

The throttle operator now rate-limits events instead of bytes. Use the rate option to specify the maximum number of events per window, weight to assign custom per-event weights, and drop to discard excess events instead of waiting. The operator also emits metrics for dropped events.

🐞 Bug Fixes

Crashes during gRPC operator shutdown

Jan 14, 2026 · @mavam, @claude · #5661

We fixed bugs in several gRPC-based operators:

A potential crash in from_velociraptor on shutdown.
Potentially not publishing final messages in to_google_cloud_pubsub on shutdown.
A concurrency bug in from_google_cloud_pubsub that could cause a crash.

Fixed `from_kafka` not producing events

Jan 14, 2026 · @IyeOnline · #5659

We fixed a bug in from_kafka that would cause it to not produce events.

Socket leak in `from_http`

Jan 8, 2026 · @jachris, @claude · #5647

The from_http operator sometimes left sockets in CLOSE_WAIT state instead of closing them properly. This could lead to resource exhaustion on long-running nodes receiving many HTTP requests.

Timezone handling in static binary

Jan 7, 2026 · @tobim, @claude · #5649

The format_time and parse_time functions in the static binary now correctly use the operating system’s timezone database.

Error propagation in every and cron operators