zed

Visit the Brim Download page to find the package for your OS platform.

• zng: Readability improvements in the ZNG specification (#897, #910, #917)
• zq: Support directory output to S3 (#898)
• zql: Group-by no longer emits records in "deterministic but undefined" order (#914)
• zqd: Revise constraints on Space names (#853, #926, #944, #945)
• zqd: Fix an issue where a file replacement race could cause an "access is denied" error in Brim during pcap import (#925)
• zng: Revise Zeek compatibility doc (#919)
• zql: Clarify cut processor documentation (#924)
• zqd: Fix an issue where an invalid 1970 Space start time could be created in Brim during pcap inport (#938)

Visit the Brim Download page to find the package for your OS platform.

• pcap: Report more detailed error information (#844)
• zql: Add a new function Time.trunc() (#842)
• zql: Support grouping by computed keys (#860)
• zq: Change implementation of every X to use a computed groupby key (#893)
• zql: Clean up the ZQL docs (#884)
• zql: Change cut processor to emit any matching fields (#899)
• zq: Allow output to an S3 bucket (#889)

Visit the Brim Download page to find the package for your OS platform.

• zq: Add support for reading from S3 buckets (#733, #780, #783)
• zq: Add initial support for reading Parquet files (only via -i parquet, no auto-detection) (#736, #754, #774, #780, #782, #820, #813, #830, #825, #834)
• zq: Fix an issue with reading/writing recursively-nested NDJSON events (#748)
• zqd: Begin using a "runner" to invoke Zeek for processing imported pcaps (#718, #788)
• zq: Fix issues related to reading NDJSON during format detection (#752)
• zqd: Include stack traces on panic errors (#732)
• zq: Handle \r\n line endings generated by MinGW (Windows) Zeek (#775)
• zq: Support scientific notation for integer types (#768)
• zql: Add cast syntax to expressions (#765, #784)
• zq: Fix an issue where reads from stdin were described as being from - (#777)
• zq: Improve an NDJSON parsing error to be more detailed than "bad format" (#776)
• zjson: Fix an issue with aliases in the zjson writer (#793)
• zq: Fix an issue where typed JSON reads could panic when a field that was expected to contain an array instead contained a scalar (#799)
• zq: Fix an issue with ZNG handling of aliases on records (#801)
• zq: Fix an issue with subnet searches (#807)
• zapi: Introduce zapi, a simple CLI for interacting with zqd servers (#802, #809, #812)
• zq: Add arguments to generate CPU/memory profiles (#814)
• zql: Introduce time conversion functions (#822)
• zq: Ensure Spaces have non-blank names (#826)

Visit the Brim Download page to find the package for your OS platform.

• zq: Fix an issue with stream reset that was preventing the pcap button in Brim from activating (#725)
• zql: Allow multiple fields to be written from put processor (#697)

Visit the Brim Download page to find the package for your OS platform.

• zqd: Enable time indexing to provide faster query response in narrower time ranges (#647)
• zql: Make ipv4 subnet bases contain 4 octets to remove ambiguity between fractions & CIDR (#670)
• zq: Use an external sort for large inputs (removes the 10-million line sort limit) (#527)
• zq: Fix an issue where duplicate field names could be produced by aggregate functions & group-by (#676)
• zar: Introduce an experimental prototype for working with archived logs (README) (#700)
• zq: Support recursive record nesting in Zeek reader/writer (#715)
• zqd: Zeek log import support needed for Brim (#616, #517, #608, #592, #592, #582, #709)

Visit the Brim Download page to find the package for your OS platform.

• zql: Introduce =~ and !~ operators in filters for globs, regexps, and matching addresses against subnets (#604, #620)
• zq: When input auto-detect fails, include each attempted format's error (#616)
• zng: Binary format is now called "ZNG" and text format is called "TZNG" ("BZNG" has been retired) (#621, #630, #656)
• zql: cut now has a -c option to show all fields not in the provided list (#639, #655)
• zq: Make -f zng (binary ZNG) the default zq output format, and introduce -t as shorthand for -f tzng (#654)

• zqd: Send HTTP status 200 for successful pcap search (#605)

• zql: Improve string search matching on field names (#570)
• pcap: Better handling of empty results (#572)
• zq: Introduce -e flag to allow for continued reads during input errors (#577)
• pcap: Allow reading of pcap files that have a capture length that exceeds the original length of the packet (#584)
• zqd: Fix an issue that was causing the histogram to draw incorrectly in Brim app (#602)

• zql: Let text searches match field names as well as values (#529)
• zql: Fix an issue where ZQL queries exceeding 255 chars caused a crash (#543)
• zql: Make searches case-insensitive by default (#536)
• Fix an issue where the Zeek reader failed to read whitespace from the rightmost column (#552)

• zql: Emit warnings from put processor (#477)
• zql: Add string functions (#475)
• zql: Narrow the use of len() to only sets/vectors, introduce new functions for string length (#485)
• zql: Add ternary conditional operator (#484)
• zqd: Add waterfall logger (#492)
• zqd: Make http shutdown more graceful (#500)
• zqd: Make space deletion cancel and await other operations (#451)

• zql: add the put processor that adds or updates fields using a computed
  expression. (#437)
• zql: add functions for use with put, like Math.min, Math.max, and others.
  (#453, #459, #461, #472)
• zq: support reading ndjson with user supplied type information. (#441)
• Fix an issue reading pcaps with snaplen=0. (#462)

• Address ingest issues for packet captures in legacy pcap format.
• Calculate and respond with packet capture time range at the start of ingest,
  so that Brim can immediately display the space's time range.

Address an issue ingest packet captures in the legacy pcap format.

• zq now displays warnings by default; the "-W" flag is removed, replaced by
  the "-q" for quieting warnings.
• Update license to reflect new corporate name.
• Address ingest issues for some pcapng packet captures.
• Address ingest issues for file or path names that required uri encoding.

• Support search queries during pcap ingestion.
• Improved error reporting in zqd, especially during pcap ingestion.
• Improved performance of space info api.
• zqd supports ingesting pcapng formatted packet capture files.

Point release to provide updated AST parsing.

Point release to provide an updated zql AST.

v0.4.0

• zqd adds an endpoint to create a new empty space via post
• zqd adds an endpoint to post packet captures that are indexed and turned into Zeek logs

• zqd adds -datadir flag for space root directory.
• zqd adds -version flag.
• Add pcap command to interact with packet capture files.

• Per-platform binaries will be available as Github release assets.
• zql examples under zql/docs are now verified via make test-heavy.
• Negative integers and floats are accepted in zql expressions.
• Internal integer types now match the ZNG specification.
• Fixed comparisons of aliased types.