v0.23.0

Visit the Brim Download page to find the package for your OS platform.

• zql: Add week as a unit for time grouping with every (#1374)
• zq: Fix an issue where a null value in a JSON type definition caused a failure without an error message (#1377)
• zq: Add zst format to -i and -f command-line help (#1384)
• zq: ZNG spec and zq updates to introduce the beta ZNG storage format (#1375, #1415, #1394, #1457, #1512, #1523, #1529), also adddressing the following:
  • New data type bytes for storing sequences of bytes encoded as base64 (#1315)
  • Improvements to the enum data type (#1314)
  • Special characters like . and @ may now appear in field names (#1291)
  • A set may now only support elements of a single type (#1220, #1515)
  • Remove the byte type from the spec in favor of uint8 (#1316)
  • New data type map, which is like set but the contents are key value pairs where only keys need to be unique and the canonical order is based on the key order (#1317)
  • First-class ZNG types (#1365)
  • New numeric data types float16 and float32 (not yet implemented in zq) (#1312, #1514)
  • New numeric data type decimal (not yet implemented in zq) (#1522)
• zq: Add backward compatibility for reading the alpha ZNG storage format (#1386, #1392, #1393, #1441)
• zqd: Check and convert alpha ZNG filestores to beta ZNG (#1574, #1576)
• zq: Fix an issue where spill-to-disk file names could collide (#1391)
• zq: Allow the fuse processor to spill-to-disk to avoid memory limitations (#1355, #1402)
• zq: No longer require _path as a first column in a JSON type definition (#1370)
• zql: Improve ZQL docs for aggregate functions and grouping (#1385)
• zql: Point links for developer docs at pkg.go.dev instead of godoc.org (#1401)
• zq: Add support for timestamps with signed timezone offsets (#1389)
• zq: Add a JSON type definition for alert events in Suricata EVE logs (#1400)
• zq: Update the ZNG over JSON (ZJSON) spec and implementation (#1299)
• zar: Use buffered streaming for archive import (#1397)
• zq: Add an ast command that prints parsed ZQL as its underlying JSON object (#1416)
• zar: Fix an issue where zar would SEGV when attempting to query a non-existent index (#1449)
• zql: Allow sort by expressions and make put/cut expressions more flexible (#1468)
• zar: Move where chunk metadata is stored (#1461, #1528, #1539)
• zar: Adjust the -ranges option on zar ls and zar rm (#1472)
• zq: Choose default memory limits for sort & fuse based on the amount of system memory (#1413)
• zapi: Fix an issue where create and find were erroneously registered as root-level commands (#1477)
• zqd: Support pcap ingest into archive Spaces (#1450)
• zql: Add where filtering for use with aggregate functions (#1490, #1481, #1533)
• zql: Add union() aggregate function (#1493, #1534)
• zql: Add collect() aggregate function (#1496, #1534)
• zql: Add and() and or() aggregate functions (#1497, #1534)
• zq: Fix an issue where searches did not match field names of records with unset values (#1511)
• zq: Fix an issue where searches were not reaching into records inside arrays (#1516)
• zar: Support microindexes created with a sorted flow of records in descending order (#1526)
• zapi: Allow zapi post of S3 objects (#1532)
• zar: Add the zar compact command for combining overlapping chunk files into single chunks (#1531)
• zar: Use chunk seek index for searching chunk data files (#1537)
• zq: Make timestamp output formatting consistent (#1550, #1551, #1557)
• zq: Update LZ4 dependency to improve performance (#1556)
• zq: Fix an issue where TZNG fields containing ] were treated as a syntax error (#1561)
• zar: Fix an issue where the zar import target size didn't take compression into account (#1565)
• zapi: Add a -stats option to zapi pcappost (#1538)
• zqd: Add a Python zqd API client for use with tools like JupyterLab (#1564)