This release includes several bug fixes for the JSON parser, where, replace, and if operators, along with Kafka decompression support and a new raw_message option for the read_syslog operator.
🚀 Features
Section titled “🚀 Features”Raw message field support for read_syslog operator
Section titled “Raw message field support for read_syslog operator”Jan 27, 2026 · @mavam, @claude · #5687
The read_syslog operator now supports a raw_message parameter that preserves the original, unparsed syslog message in a field of your choice. This is useful when you need to retain the exact input for auditing, debugging, or compliance purposes.
When you specify raw_message=<field>, the operator stores the complete input message (including all lines for multiline messages) in the specified field. This works with all syslog formats, including RFC 5424, RFC 3164, and octet-counted messages.
For example:
read_syslog raw_message=original_inputThis stores the unparsed message in the original_input field alongside the parsed structured fields like hostname, app_name, message, and others.
🐞 Bug Fixes
Section titled “🐞 Bug Fixes”Fix overzealous constant evaluation in if statements
Section titled “Fix overzealous constant evaluation in if statements”Jan 30, 2026 · @jachris · #5701
The condition of if statements is no longer erroneously evaluated early when
it contains a lambda expression that references runtime fields.
Support decompression for Kafka operators
Section titled “Support decompression for Kafka operators”Jan 30, 2026 · @raxyte, @claude · #5697
Kafka connectors now support decompressing messages with zstd, lz4 and gzip.
Fix intermittent UTF-8 errors in JSON parser
Section titled “Fix intermittent UTF-8 errors in JSON parser”Jan 29, 2026 · @jachris, @claude · #5698
The JSON parser no longer intermittently fails with “The input is not valid UTF-8” when parsing data containing multi-byte UTF-8 characters such as accented letters or emojis.
Fix assertion failure in replace operator when replacing with null
Section titled “Fix assertion failure in replace operator when replacing with null”Jan 29, 2026 · @mavam, @claude · #5696
The replace operator no longer triggers an assertion failure when using
with=null on data processed by operators like ocsf::cast.
load_file "dns.json"read_jsonocsf::cast "dns_activity"replace what="", with=nullWhere operator optimization for optional fields
Section titled “Where operator optimization for optional fields”Jan 28, 2026 · @jachris, @claude
The where operator optimization now correctly handles optional fields marked with ?. Previously, the optimizer didn’t account for the optional marker, which could result in incorrect query optimization. This fix ensures that optional field accesses are handled properly without affecting the optimization of regular field accesses.