Falcon LogScale Documentation

Suggestions in The Search Box will show for certains function parameters like time formats.

Known field names are now shown as completion suggestions in The Search Box while you type.

The Search page and Dashboards URLs support links with timezones, to sharing links ensure the same timezone. E.g. ?tz=Europe/Copenhagen

Introduced Search Interactions to add custom event list options for all users in a repository.

For more information, see Event List Interactions.

You can now set your preferred timezone under Manage your Account.

The Search page now supports timezone picking. The timezone will be set on the users' session and remembered between pages.

GraphQL API mutations have been added for testing actions without having to save them first. The added mutations are:

The previous testAction mutation has been removed.

The new GraphQL API mutations' signature is almost the same as the create mutation for the same action, except that test actions require event data and a trigger name, as the previous testAction mutation did.

As a consequence, the Test button is now always enabled in the UI.

Introduced Dashboards Interactions to add interactive elements to your dashboards.

For more information, see Managing Dashboard Interactions.

default() now supports assigning the same value to multiple fields, by passing multiple field names to the field parameter.

selectLast() and groupBy() now use less state size, allowing for larger result sets.

The performance of in() is improved when matching with values that do not use the * wildcard.

Fixed the UI as it were not showing an error when a query gets blocked due to query quota settings.

Fixed an issue that made switching UI theme report an error and only take effect for the current session.

For self-hosted: Postmark for sending emails from Actions no longer uses the IP filter, allowing administrators not to put Postmark on the IP allowlist.

Queries ending with tail() will no longer be rendered with infinite scroll.

Fixed a failing require from MiniSegmentsAsTargetSegmentReader, causing queries to fail in very rare cases.

Unlimited waits for nodes to get in sync has been fixed. This caused digest coordination to fail, to limit the time allowed for a node to get "in sync" on a partition before leadership was assigned to it, in cases where the previous digest leader shut down gracefully.

Changes have been made for the three-dot menu (⋮) used for Field Interactions:

The list of Message Templates and Variables is no longer shown in the User Interface when editing Actions, instead a link to the documentation has been added.

A new environment configuration variable GLOB_ALLOW_LIST_EMAIL_ACTIONS is introduced. It enables cluster-wide blocking of recipients of Email actions that are not in the provided allow list.

When creating a new group you now have to add the group and add permissions for it in the same multi step dialog.

Fixed an issue where the dashboard page would freeze when the value of a dashboard parameter was changed.

We have fixed tooltips in the query editor, which were hidden by other elements in the UI.

Fixed an issue where the environment variable OIDC_USE_HTTP_PROXY was not respected. It means that LogScale will now call all OIDC endpoints directly without going through the HTTP Proxy, when OIDC_USE_HTTP_PROXY is set to false.

This fixes the known issue previously reported in Falcon LogScale 1.63.1 Stable (2022-11-14), Falcon LogScale 1.63.2 Stable (2022-11-30), Falcon LogScale 1.63.3 Stable (2022-12-21) and Falcon LogScale 1.70.0 Stable (2023-01-16).

Some restrictions have been introduced when running with single-user as AUTHENTICATION_METHOD:

We have set a maximum number of events that we will parse under a single timeout so large batches are allowed to take longer. If you've seen parsers time out not because the parser is actually slow but because you were processing many events in a single batch, this change should cause that stop happening. Only parsers that are genuinely slow should now time out.

Using ioc:lookup() in a query while the IOC service is disabled will now result in a failed query instead of a warning, stating that there are partial results.

The query function holtwinters() has been removed from the product.

We have reduced the noise from MiniSegmentMergeLatencyLoggerJob by being more conservative about when we log mini segments that are unexpectedly not being merged. We have made MiniSegmentMergeLatencyLoggerJob take datasource idleness into account.

Removed compression type extreme for configuration COMPRESSION_TYPE. Specifying extreme will now select the default value of high in order not to cause configuration errors for clusters that specify extreme. The suggestion is to remove COMPRESSION_TYPE from your configurations unless you specify the only other non-default value of fast.

Fixed an issue where the query scheduling could hit races with the background recompression of files in a way that resulted in the query missing the file and ending up adding warnings about segment files being missed by the query.

Tabs on the Users page are renamed: former Groups and Permissions tab is now renamed to Permissions; former Details tab is now renamed to Information. In addition, the Permissions tab is now displayed first — it is also the tab that will be opened by default when navigating to a user from other places in the product.

The ability to keep the same merge target across digest changes is reintroduced. This feature was reverted in an earlier release due to a discovered issue where mini segments for an active merge target could end up spread across hosts. As that issue has been fixed, mini segments should now be stored on the hosts running digest for the target.

New dynamic configuration FlushSegmentsAndGlobalOnShutdown. When set, and when USING_EPHEMERAL_DISKS is set to true true, forces all in-progress segments to be closed and uploaded to bucket, and also forces a write (and upload) of global snapshot during shutdown. When not set, this avoids the extra work and thus time shutting down from flushing very recent segments, as those can then be resumed on next boot, assuming that next boot continues on the same Kafka epoch. The default is false, which allows faster shutdown.

Fixed an issue where the IOC database could get out of sync.

Fixed an issue where the environment variable OIDC_USE_HTTP_PROXY was not respected. It means that LogScale will now call all OIDC endpoints directly without going through the HTTP Proxy, when OIDC_USE_HTTP_PROXY is set to false.

This fixes the known issue previously reported in Falcon LogScale 1.63.1 Stable (2022-11-14), Falcon LogScale 1.63.2 Stable (2022-11-30), Falcon LogScale 1.63.3 Stable (2022-12-21) and Falcon LogScale 1.70.0 Stable (2023-01-16).

Some restrictions have been introduced when running with single-user as AUTHENTICATION_METHOD:

Unlimited waits for nodes to get in sync has been fixed. This caused digest coordination to fail, to limit the time allowed for a node to get "in sync" on a partition before leadership was assigned to it, in cases where the previous digest leader shut down gracefully.

Added support for export and import of dashboards with query based widgets which use a fixed time window.

New background task TagGroupingSuggestionsJob that reports on flow rate in repositories with many datasources on what it considers slow ones, controlled by configuration of segment sizes and flush intervals. The output in the log can be input to decision on add Tag Grouping to a repository to reduce the number of slow datasources.

Add code to ensure all minisegments for the same target end up located on the same hosts. A change in 1.63 could create a situation where minisegments for the same merge target wound up on different nodes, which the query code currently assumes can't happen. This could cause Result is partial responses to user queries.

Fixed a bug where a link in the notification for a failed alert would link to a non-existing page.

Scatter Chart has been updated:

Fixed three bugs in the Bar Chart — where the sorting would be wrong with updating query results in the stacked version, flickering would occur when deselecting all series in the legend, and deselecting renamed series in the legend would not have any effect.

Fixed an issue with parameters in dashboards, where the values of a fixed list parameter would not have their order maintained when exporting and importing templates.

Fixed a bug where very long string literals in a regex could cause a query/parser to fail with a stack overflow.

OIDC known issue preventing login:

if you are running LogScale self-hosted, this version will not work in an environment where you are Authenticating with OpenID Connect and you use an HTTP Proxy, but you do not want to call OpenIDConnect through the HTTP Proxy.

Please do not upgrade to this version if this is the case — upgrade to Falcon LogScale 1.63.4 Stable (2023-02-01) and Falcon LogScale 1.70.1 Stable (2023-02-01) instead, where this issue has been fixed.

Add bounds to maximum number of active notifications per user.

Added option to filter by group and role permission types in groupsPage and rolesPage queries.

Reduced CPU usage of background tasks for the case of high partition count and high datasource count.

Add support for GET+DELETE requests for queries by external Query ID without including the repository name in the URL. The new URL is /api/v1/queryjobs/QUERYID. Note that shared dashboard token authentication is not supported on this API. (The existing API on /api/v1/repositories/REPONAM/queryjobs/QUERYID remains unmodified and support POST requests for submit of queries.)

Throttle publish to global-events topic internally based on time spent in recent transactions of the same type (digest-related writes are not throttled). See details at new configuration variable GLOBAL_THROTTLE_PERCENTAGE page. Also see the metric global-operation-time for measurements of the time spent.

Allow creating Kafka topics even if a broker is down.

LogScale no longer considers every host to be alive for a period after rebooting. Only hosts marked as running in global will be considered alive. This fixes an issue where a query coordinator might pointlessly direct queries to dead nodes because the coordinator had recently booted.

The query function holtwinters() is now deprecated and will be removed along with the release of future version 1.73; therefore, its usage in alerts is not recommended.

Enforcing S3 file size limits (30MB) in FDR feeds. Files will not be ingested if they are above the limit.

Introduced the Social Login Settings feature: all customers with access to the organization identity providers page can now change social login settings in the UI. See Identity Providers for details.

No longer possible to add a color to roles. Existing role colors removed from the UI.

Improved performance when storing alert errors and trigger times in global.

Changed the default value for AUTHENTICATION_METHOD from none to single-user.

To set username and password, use the environment variables:

See SINGLE_USER_USERNAME and SINGLE_USER_PASSWORD documentation for more details on these variables.

Set minimum version for the cluster to be 1.44.0.

Set dynamic configuration BucketStorageWriteVersion to 3. This sets the format for files written to bucket storage to use a format that allows files larger than 2GB and incurs less memory pressure when decrypting files during download from the bucket. The new format is supported since 1.44.0 only.

Audit logging has been improved.

New metric global-operation-time: tracks local time spent processing each kind of message received on the global events topic.

The warning about unsaved changes being lost on an edited dashboard will now only show when actual changes have been made.

Fixed an issue where LogScale could log secrets to the debug log when configured to use LDAP or when configured to use SSL for Kafka.

Fixed a bug in decryption code used when decrypting downloaded files from bucket storage when version-for-bucket-writes=3. The bug did not allow to decrypt files larger than 2GB.

A new query function named createEvents() has been released. This function creates events from strings and is used for testing queries.

URL paths with repository name and no trailing /search resolved to Not Found. The URL /repoName will now again show the search page for the repoName repository.

IP Location drilldowns now correctly use lat and lon field names instead of latitude and longitude .

Bugs fixed for the collect() function, where:

Added a new configuration to control when digest coordination will permit a node that is not "in sync" and to set a time limit. See MAX_SECS_WAIT_FOR_SYNC_WHEN_CHANGING_DIGEST_LEADER for all the details.

Make adjustments to the HostsCleanerJob. It will now remove references to missing hosts in fewer writes, and will stop immediately if a host rejoins the cluster.

Fixed a bug seen in version 1.65 where groupBy() on multiple fields would sometimes produce multiple rows for the same combination of keys.

Fixed a race where unavailable segments, due to nodes going away, would not become available again after nodes returning.

Fixed an issue that could cause the error message Object is missing required member 'replicationFactor' when downgrading from current versions to older versions. The error message is only a nuisance, since the object failing deserialization isn't in use in released code yet.

Fixed an issue that could cause repeated unnecessary updates of currentHosts for some segments.

Fixed an issue where deleting a parser through an update or uninstall of a package could fail in an unexpected way if the parser was used by an ingest listener or an Fdr feed. Now, a proper error message will be shown.

A new UI for event forwarders located under Organisation Settings now allows you to configure your event forwarders. See Event Forwarders for details.

The Repository icon has been changed to match the new look and feel.

Added a query editor warning (yellow wavy lines) for joins in alerts.

Added a new dynamic configuration UndersizedMergingRetentionPercentage, with a default value of 20. This configuration value is used when selecting undersized segments to merge, this setting controls how wide a time span can be merged together.

The setting is interpreted as a percentage of the repository's retention by time setting. A reasonable range is 0 through to 90.

Increased the limits for bucket. The maximum number of series has been raised from 50 to 500 and the maximum number of output events has been raised from 10,000 to 100,000.

Docker images have been upgraded to Java 17.0.5.

Reduce the scope of a precondition for a particular write to global. This should reduce unnecessary transaction rejections when such writes are bulked together.

Audit logging for s3 archiving which tracks when it is enabled, disabled, configured, and restarted.

Avoid writing some messages to global if we can tell up-front that the message is unnecessary.

Fix some issues with the workings of the BUCKET_STORAGE_MULTIPLE_ENDPOINTS and S3_STORAGE_ENDPOINT_BASE configurations.

The intent of this configuration is to allow users to configure buckets in multiple bucket services, for instance to allow migrating from AWS bucket storage to a local S3 service. When true, each bucket in global can have a separate endpoint configuration, as defined in S3_STORAGE_ENDPOINT_BASE and similar configurations. This allows an existing cluster running against AWS S3 to begin uploading segments to an on-prem S3 by switching the endpoint base, while still keeping access to existing segments in AWS.

When false (default), the endpoint base configuration is applied to all existing buckets on boot. This is intended for cases where the base URL needs to be changed for all bucket, for instance due to the introduction of a proxy.

The issue was that we were not consistently looking up endpoint urls in global for the relevant bucket, but instead simply used whichever endpoint url happened to be defined in configuration at the time. This has been fixed.

Fixed a minor desynchronization issue related to idle datasources.

The SAML login to Humio using deeplinks now works correctly.

When a host is removed from global, a job tries to clean up any references to it from other places in global, such as segments. Fixed a bug in this job that meant it didn't clean up references on segments that were tombstoned but not yet gone from global. This issue could block cleanup of those segments.

Fixed a bug where interaction context menus did not update the query editor in Safari.

Added new dynamic configuration for MaxIngestRequestSize to allow limiting size of ingest requests after content-encoding has been applied. The default can be set using the new configuration variable MAX_INGEST_REQUEST_SIZE, or applied via the dynamic configuration.

It is now possible to specify a dashboard by name in the URL. It is also possible to have dashboard ID as a parameter in order to have permanent links.

Removed the restriction that case and match expressions cannot be used in subqueries.

The query function split() now allows splitting arrays that contain arrays. For example, the event a[0][0]=1, a[1][0]=2 can now be split using split(a) produces two events: _index=0, a[0]=1' and '_index=1, a[0]=2.

The query function in() has been improved w.r.t. performance when searching in tag fields.

Improved memory allocation for the query function split().

The query function join() now provides information to optimize the query.

In the internal request log, include decoded size of the request body after content-encoding has been applied in new field decodedContentLength. This allows inspecting compression ratio of incoming requests and range of values seen. Requests without compression have contentLength in this new field too.

Fixed a bug where a disabled item in the main menu could be clicked on and which would redirect to the homepage.

The Copy menu in the event Inspection Panel now copies text correctly again.

The query functions bucket(), holtwinters(), beta:repeating(), series(), session(), and window() wrongly accepted now as a duration. This error has been fixed.

Fixed an issue where percentile() would crash on invalid input.

Fixed an issue that could cause merged segments to appear to be missing after a restart, due to the datasource going idle.

Fixed an issue where the environment variable OIDC_USE_HTTP_PROXY was not respected. It means that LogScale will now call all OIDC endpoints directly without going through the HTTP Proxy, when OIDC_USE_HTTP_PROXY is set to false.

This fixes the known issue previously reported in Falcon LogScale 1.63.1 Stable (2022-11-14), Falcon LogScale 1.63.2 Stable (2022-11-30), Falcon LogScale 1.63.3 Stable (2022-12-21) and Falcon LogScale 1.70.0 Stable (2023-01-16).

Unlimited waits for nodes to get in sync has been fixed. This caused digest coordination to fail, to limit the time allowed for a node to get "in sync" on a partition before leadership was assigned to it, in cases where the previous digest leader shut down gracefully.

Add code to ensure all minisegments for the same target end up located on the same hosts. A change in 1.63 could create a situation where minisegments for the same merge target wound up on different nodes, which the query code currently assumes can't happen. This could cause Result is partial responses to user queries.

Fixed a bug where a link in the notification for a failed alert would link to a non-existing page.

Fixed an issue where LogScale could log secrets to the debug log when configured to use LDAP or when configured to use SSL for Kafka.

Fixed a bug in decryption code used when decrypting downloaded files from bucket storage when version-for-bucket-writes=3. The bug did not allow to decrypt files larger than 2GB.

OIDC known issue preventing login:

if you are running LogScale self-hosted, this version will not work in an environment where you are Authenticating with OpenID Connect and you use an HTTP Proxy, but you do not want to call OpenIDConnect through the HTTP Proxy.

Please do not upgrade to this version if this is the case — upgrade to Falcon LogScale 1.63.4 Stable (2023-02-01) and Falcon LogScale 1.70.1 Stable (2023-02-01) instead, where this issue has been fixed.

URL paths with repository name and no trailing /search resolved to Not Found. The URL /repoName will now again show the search page for the repoName repository.

OIDC known issue preventing login:

if you are running LogScale self-hosted, this version will not work in an environment where you are Authenticating with OpenID Connect and you use an HTTP Proxy, but you do not want to call OpenIDConnect through the HTTP Proxy.

Please do not upgrade to this version if this is the case — upgrade to Falcon LogScale 1.63.4 Stable (2023-02-01) and Falcon LogScale 1.70.1 Stable (2023-02-01) instead, where this issue has been fixed.

Added the new fileDownloadParallelism setting for FDR feeds to download files from the same SQS message in parallel. See Adjust Polling Nodes Per Feed for all the details.

Add Falcon LogScale announcement on login and signup pages.

The Single Value widget has updated properties:

Parsing JSON arrays in drill-down context menus no longer adds a trailing dot to the prefix field name.

Following its name change, mentions of Humio have been changed to Falcon LogScale.

Humio is now a Falcon product. The Humio owl logo and icons are therefore replaced by beautiful falcons.

Contextual drill-down menus for field interactions have been introduced, see Field Interactions. In particular:

Interactions on JSON data now enabled for JSON arrays in the Event List.

Change Humio logo to Falcon LogScale on login and signup pages.

Self-hosted only: the old implementation of how alert queries are run has been removed. As a consequence, the dynamic configuration UseLegacyAlertJob has also been removed.

Added two new message templates to actions, {query_start_s} and {query_end_s}. See Message Templates and Variables for details.

Added new createDashboardFromTemplateV2 mutation with input parameters aligned with the rest of the create from template mutations.

JSON in Log Line and JSON formats columns in Event List widgets now have fields underlined on hover and are clickable. This allows drill-downs and copying values easily.

Improved the format():

See the format() reference documentation page for all the above mentioned updates on the supported formatting syntax.

Introduced new valid array syntax in array:contains() and array:regex() functions:

QueryAPI — executionModeHint renamed to executionMode.

QueryAPI — Added staticMetaData property to QueryJobStartedResult. At the moment it only contains the property executionMode, which can be used to communicate hints about the way the backend executes the query to the front-end.

New background task that runs at startup. It verifies the checksums present in local segment files, traversing the most recently updated segment files on the local disk, using the timestamps they have when Humio status. If a file has invalid checksum it will be renamed to crc-error.X where X is the ID of the segment. An error will be logged as well.

Added a new ingest endpoint for receiving metrics and traces via OpenTelemetry OTLP/http. See OpenTelemetry for all the details.

Added a new dynamic config UndersizedMergingRetentionPercentage, with a default value of 20. This configuration value is used when selecting undersized segments to merge, this setting controls how wide a time span can be merged together.

The setting is interpreted as a percentage of the repository's retention by time setting. A reasonable range is 0 through to 90.

Created new test function for event forwarders, which takes as input an event forwarder configuration and tests whether it is possible to connect to the Kafka server. The current test function which takes an ID as input and tests an existing event forwarder by ID, is now marked as deprecated.

When selecting a parser test case, the selected test case is highlighted in the UI, so you can see what is selected.

Use latest version of Java 17 in Docker images.

It's now possible to expand multiple bell notifications.

Add a script in the tarball distribution's bin directory to check the execution environment, checking common permission issues and other requirements for an environment suitable for running Logscale.

Added use of the HTTP Proxy Setup, if configured, in a lot of places.

Empty datasource directories will be now removed from the local file system while starting the server.

Add an additional validation check when uploading files to S3-like bucket storage. Humio will now perform a HEAD request for the file's final location in the bucket to verify that the upload succeeded.

Change missing @timestamp field to give a warning instead of an error in functions tail(), head(), bucket(), and timeChart().

Bug fixed in Scatter Chart widget tooltip, so that the description of the actual point only is shown in the tooltip when hovering the mouse over one point, instead of multiple points.

Fixed a bug where query result containing no valid results was handled incorrectly in visualisation.

Fixed an issue where NaN values could cause groupBy() queries to fail.

Fixed a bug where the selfJoin() function would not apply the postfilter parameter.

Fixed an issue where match() would sometimes give errors when ignoreCase=true and events contained latin1 encoded characters.

Fix an issue that could cause event redaction tasks to fail to complete, if a segment having events redacted was deleted due to retention.

Fixed an issue where nothing was displayed on the average ingest chart in case only one datapoint is present.

Fix an issue causing a content-length check for bucket uploads to fail when encryption was enabled. The content-length check is not normally enabled, so this should only affect clusters that have disabled ETag-based validation.

Fixed a regression causing a reflective method lookup to fail when Humio is running on a Java prior to 13.

When selecting a parser test case, the selected test case is highlighted in the UI, so you can see what is selected.

When a host is removed from global, a job tries to clean up any references to it from other places in global, such as segments. Fixed a bug in this job that meant it didn't clean up references on segments that were tombstoned but not yet gone from global. This could block cleanup of those segments.

It is now possible for a user to use the same personal invite token after the user has been transferred to another organization.

OIDC known issue preventing login:

if you are running LogScale self-hosted, this version will not work in an environment where you are Authenticating with OpenID Connect and you use an HTTP Proxy, but you do not want to call OpenIDConnect through the HTTP Proxy.

Please do not upgrade to this version if this is the case — upgrade to Falcon LogScale 1.63.4 Stable (2023-02-01) and Falcon LogScale 1.70.1 Stable (2023-02-01) instead, where this issue has been fixed.

Added enableEventForwarder and disableEventForwarder mutations to enable/disable event forwarders.

LogScale Collector download page has moved into the new top level tab Log Collector Fleet Management (Cloud-only).

New FleetOverview functionality for the LogScale Collector 1.2.0 is available.

Humio Log Collector is now Falcon LogScale Collector.

The holtwinters() query function will be deprecated with the release of future version 1.68. From then, it cannot be expected to work in alerts, and it will be removed entirely with the release of version 1.72.

The base64Decode() query function now accepts non-canonical encodings.

The parseCsv() function has improved its performance, in particular in terms of memory pressure.

Close all segments a node is working on when shutting down. This should help start later in Kafka after reboots.

Fixed a race condition where the segment top offset wasn't removed when a datasource went idle due to a race. This could result in event redaction not running for such segments.

Add Falcon LogScale announcement on login and signup pages.

Parsing JSON arrays in drill-down context menus no longer adds a trailing dot to the prefix field name.

Following its name change, mentions of Humio have been changed to Falcon LogScale.

Change Humio logo to Falcon LogScale on login and signup pages.

Introduced new valid array syntax in array:contains() and array:regex() functions:

Added a new ingest endpoint for receiving metrics and traces via OpenTelemetry OTLP/http. See OpenTelemetry for all the details.

Add a script in the tarball distribution's bin directory to check the execution environment, checking common permission issues and other requirements for an environment suitable for running Logscale.

Added the new fileDownloadParallelism setting for FDR feeds to download files from the same SQS message in parallel. See Adjust Polling Nodes Per Feed for all the details.

Interactions on JSON data now enabled for JSON arrays in the Event List.

QueryAPI — executionModeHint renamed to executionMode.

QueryAPI — Added staticMetaData property to QueryJobStartedResult. At the moment it only contains the property executionMode, which can be used to communicate hints about the way the backend executes the query to the front-end.

Fixed a bug where the selfJoin() function would not apply the postfilter parameter.

Fix an issue that could cause event redaction tasks to fail to complete, if a segment having events redacted was deleted due to retention.

Fixed an issue where nothing was displayed on the average ingest chart in case only one datapoint is present.

Fixed a regression causing a reflective method lookup to fail when Humio is running on a Java prior to 13.

Contextual drill-down menus for field interactions have been introduced, see Field Interactions. In particular:

Added new createDashboardFromTemplateV2 mutation with input parameters aligned with the rest of the create from template mutations.

JSON in Log Line and JSON formats columns in Event List widgets now have fields underlined on hover and are clickable. This allows drill-downs and copying values easily.

New background task that runs at startup. It verifies the checksums present in local segment files, traversing the most recently updated segment files on the local disk, using the timestamps they have when Humio status. If a file has invalid checksum it will be renamed to crc-error.X where X is the ID of the segment. An error will be logged as well.

Use latest version of Java 17 in Docker images.

It's now possible to expand multiple bell notifications.

Fixed a bug where query result containing no valid results was handled incorrectly in visualisation.

Fixed an issue where NaN values could cause groupBy() queries to fail.

The Single Value widget has updated properties:

Added two new message templates to actions, {query_start_s} and {query_end_s}. See Message Templates and Variables for details.

Humio is now a Falcon product. The Humio owl logo and icons are therefore replaced by beautiful falcons.

Improved the format():

See the format() reference documentation page for all the above mentioned updates on the supported formatting syntax.

Empty datasource directories will be now removed from the local file system while starting the server.

Add an additional validation check when uploading files to S3-like bucket storage. Humio will now perform a HEAD request for the file's final location in the bucket to verify that the upload succeeded.

Change missing @timestamp field to give a warning instead of an error in functions tail(), head(), bucket(), and timeChart().

Fix an issue causing a content-length check for bucket uploads to fail when encryption was enabled. The content-length check is not normally enabled, so this should only affect clusters that have disabled ETag-based validation.

Fix a regression introduced in 1.46.0 that can cause Humio to fail to properly replay data from Kafka when a node is restarted.

Humio is now a Falcon product. The Humio owl logo and icons are therefore replaced by beautiful falcons.

Created new test function for event forwarders, which takes as input an event forwarder configuration and tests whether it is possible to connect to the Kafka server. The current test function which takes an ID as input and tests an existing event forwarder by ID, is now marked as deprecated.

When selecting a parser test case, the selected test case is highlighted in the UI, so you can see what is selected.

Added use of the HTTP Proxy Setup, if configured, in a lot of places.

Bug fixed in Scatter Chart widget tooltip, so that the description of the actual point only is shown in the tooltip when hovering the mouse over one point, instead of multiple points.

Fixed an issue where match() would sometimes give errors when ignoreCase=true and events contained latin1 encoded characters.

Fixed an issue where the HTTP threads (Akka pool) could get blocked while sending ingest requests to Kafka, which could result in Humio HTTP endpoints not responding.

When selecting a parser test case, the selected test case is highlighted in the UI, so you can see what is selected.

It is now possible for a user to use the same personal invite token after the user has been transferred to another organization.

Fixed an issue where LogScale could log secrets to the debug log when configured to use LDAP or when configured to use SSL for Kafka.

Fixed a bug in decryption code used when decrypting downloaded files from bucket storage when version-for-bucket-writes=3. The bug did not allow to decrypt files larger than 2GB.

The feature flag for FDR feeds has been removed. FDR feeds are now generally available.

Humio is now a Falcon product. The Humio owl logo and icons are therefore replaced by beautiful falcons.

It is now possible to scroll to the selected event on the Search page.

It is now possible to interact directly with the JSON properties and values in the EventList.

The Log line format type in the Event List will now render fully expanded JSON when a JSON structure starts with a square bracket or curly bracket followed by a newline.

The event lists column header menus have been redesigned to be simpler:

See Formatting Columns.

In the Event List you can assign data types to a column field. You can now make the setting the default for a fields and the setting is remembered when even the field is added to the Event List, e.g. from the fields panel on the Search page. The button for assigning default data type to a field can be found in the Data type dropdown menu in the column headers of the event list widget. See Field Data Types.

Fixed a broken link to the documentation for Message Templates and Variables when editing alerts and scheduled searches.

A major change has been made to how alert queries are run in order to better reuse live queries when nodes are restarted in a Humio cluster. Find more details at Alerts.

When you create or edit an action it will now show a warning dialog if you have unsaved changes.

When creating new Actions, the new name will now stay when you change the Action Type without getting cleared. This also works when you want to change the New Action name while creating a New Action.

Deprecates the defaultSharedTimeIsLive input field on the updateDashboard GraphQL mutation, in favor of updateFrequency.

Added environment variable ENABLE_SANDBOXES to make it possible to enable and disable sandbox repositories.

On cloud: added a configuration on dynamic identity providers to configure if users are allowed to be lazily created.

New dynamic configuration MinimumHumioVersion, default value is 0.0.0, that allows setting a minimum Humio version that this cluster will accept starting on. This allows protecting against inadvertently later rolling back too far for some other feature to be turned on, that has an implied minimum version for support of that feature.

Implemented support for widgets with a fixed time interval on dashboards.

Query functions selectFromMin() and selectFromMax() are now generally available for use.

BREAKING CHANGE: Changes to the serialization format of the Intermediate Language representation of queries.

Description: The serialization format used to serialize the intermediate language representation of queries has changed to a JSON format. This has multiple consequences for on-prem customers. During upgrades to this version and rollbacks from this version you can expect the following:

Improved warning message when using groupBy() with limit=max and the limit is exceeded.

Reduced memory usage for queries that include noResultUntilDone: true in their inputs. This reduces memory usage in queries that do "export" of an aggregate result via the Query API, as well as the "inner" queries in joins, and queries from scheduled searches.

Added support for writing H in place of minutes in the cron schedule of scheduled searches — see Cron Schedule Templates for details.

It is now possible to select an entire permissions group when configuring permissions for a role.

Added an option to make token hashing output in json format. See tokenhashing usage described at Hashed Root Access Token.

Add UI for enabling and disabling social logins on the identity providers page.

In case view is not found we will try to fixup the cache on all cluster nodes.

When configuring SAML and OIDC for an organization, for users with the ManageOrganizations permission to enable/disable whether the IDP is Default and Humio managed.

Added new system permission, PatchGlobal, enabling access to the global patch API.

Allow any root user and any user with the PatchGlobal permission to use the global patch API. Previously required using the server-local special bootstraps root token, that would be valid only on the local node, thus hard to use via a load balancer.

In the dialog for entering a name, when creating a new entity (Alerts, Actions, Scheduled Searches, Parsers), hitting Enter without filling out the name field will now show an error and will not let you go on to the next page.

Permit the first character in the field name of a field being turned into a tag to be anything. If the first character does not match [a-zA-Z] then strip that from the resulting tag name. This does not alter the set of allowed names for tags, but allows the field names being turned into tags to have any character as the leading one, e.g. permitting examples such as &path and *path as field names to turn into the tag #path.

When searching for queries using the Query Monitor in Cluster Administration you can now filter queries based on internal and external query IDs.

With the new implementation for running alerts, alerts will now start faster after a node has been restarted, making it easier for alerts with a small search interval to be able to alert on events during the downtime.

When saving a parser, validate that the fields designated as tag fields have names that are valid as tag field names. Since packages with invalid parsers cannot be installed, if you have an invalid parser in a package, you will need to edit it to keep being able to install it.

Fixed a bug where a dropdown for choosing a parser was not visible in a dialog when creating a new FDR feed.

Removed the deprecated feature flag `FdrFeeds`

Fixed a bug in the computation of query metadata that is used by the UI, which, for example, caused problems showing pie charts with queries containing both groupBy() and top().

Fixed an error when querying for actions in GraphQL on a deleted view.

Marked all feature flags as preview in GraphQL, which means that once they are no longer needed, they will be removed without being deprecated first.

Fixed a bug where certain queries would make it seem that all widgets were incompatible, even though the table view still works.

Importing a dashboard with Shared time enabled and Live disabled would import the dashboard with Live enabled. Likewise, when creating a new dashboard from a template, Live would be on.

Fixed an issue where wordwrap did not work in the Inspect Panel.

The Single Value color threshold list could get into a state where you could not type threshold values into the four text fields.

The Apply Filter button on the dashboard correctly applies the typed filter again.

Fixed a recent bug which caused the category links from groupBy()-groups to be lost when a subsequent sort() was used, and also made grouping-based charts (bar, pie, heat map) unusable in such cases.

Fixed an issue with tags in Event Forwarding, so that it is now possible to filter on tags using event forwarding rules, and the tags are present in the forwarded events.

Fixed an issue where some segments could stall the background process implementing event redaction. This could then result in segments not being merged. The visible symptom would be segments with topOffset attribute being -1, and MiniSegmentMergeLatencyLoggerJob logging that some segments are not being merged.

Fixed an issue where the HTTP threads (Akka pool) could get blocked while sending ingest requests to Kafka, which could result in Humio HTTP endpoints not responding.

We have removed the @host field from the humio-activity logs and the #host tag from the humio-audit log, as we can no longer provide meaningful values for these. The @host field in the humio-metrics logs will remain, but its value will be changed to the vhost id (an integer number).

Fixed an issue where delete events from a minisegment could result in the merge of those minisegments into the resulting target segment never got executed.

It is no longer possible to have an upload file action with a path in the file name. This would result in an unusable file being created.

Fixing an issue, where the sessions of a user wasn't revoked when the user was deleted.

Fixed an issue where queries could fail when the requests within the cluster were more than 8 MB each.

Fix a regression introduced in 1.46.0 that can cause Humio to fail to properly replay data from Kafka when a node is restarted.

Fixes a bug where a placeholder would appear for the region selector on the login pages, even though it itself wouldn't be shown since it has no configured regions.

Previously parsing packages was very strict, falling when detecting unsupported files. This is no longer the case, unsupported files will now be ignored and won't stop the package from installing.

Humio is now a Falcon product. The Humio owl logo and icons are therefore replaced by beautiful falcons.

Humio is now a Falcon product. The Humio owl logo and icons are therefore replaced by beautiful falcons.

It is now possible to interact directly with the JSON properties and values in the EventList.

The event lists column header menus have been redesigned to be simpler:

See Formatting Columns.

In the Event List you can assign data types to a column field. You can now make the setting the default for a fields and the setting is remembered when even the field is added to the Event List, e.g. from the fields panel on the Search page. The button for assigning default data type to a field can be found in the Data type dropdown menu in the column headers of the event list widget. See Field Data Types.

Implemented support for widgets with a fixed time interval on dashboards.

BREAKING CHANGE: Changes to the serialization format of the Intermediate Language representation of queries.

Description: The serialization format used to serialize the intermediate language representation of queries has changed to a JSON format. This has multiple consequences for on-prem customers. During upgrades to this version and rollbacks from this version you can expect the following:

Removed the deprecated feature flag `FdrFeeds`

Marked all feature flags as preview in GraphQL, which means that once they are no longer needed, they will be removed without being deprecated first.

Fixed a bug where certain queries would make it seem that all widgets were incompatible, even though the table view still works.

Importing a dashboard with Shared time enabled and Live disabled would import the dashboard with Live enabled. Likewise, when creating a new dashboard from a template, Live would be on.

Fixed an issue with tags in Event Forwarding, so that it is now possible to filter on tags using event forwarding rules, and the tags are present in the forwarded events.

Fixed an issue where some segments could stall the background process implementing event redaction. This could then result in segments not being merged. The visible symptom would be segments with topOffset attribute being -1, and MiniSegmentMergeLatencyLoggerJob logging that some segments are not being merged.

It is no longer possible to have an upload file action with a path in the file name. This would result in an unusable file being created.

It is now possible to scroll to the selected event on the Search page.

When you create or edit an action it will now show a warning dialog if you have unsaved changes.

When creating new Actions, the new name will now stay when you change the Action Type without getting cleared. This also works when you want to change the New Action name while creating a New Action.

Query functions selectFromMin() and selectFromMax() are now generally available for use.

It is now possible to select an entire permissions group when configuring permissions for a role.

In the dialog for entering a name, when creating a new entity (Alerts, Actions, Scheduled Searches, Parsers), hitting Enter without filling out the name field will now show an error and will not let you go on to the next page.

Fixing an issue, where the sessions of a user wasn't revoked when the user was deleted.

The Log line format type in the Event List will now render fully expanded JSON when a JSON structure starts with a square bracket or curly bracket followed by a newline.

Added environment variable ENABLE_SANDBOXES to make it possible to enable and disable sandbox repositories.

Added an option to make token hashing output in json format. See tokenhashing usage described at Hashed Root Access Token.

When configuring SAML and OIDC for an organization, for users with the ManageOrganizations permission to enable/disable whether the IDP is Default and Humio managed.

Fixed a recent bug which caused the category links from groupBy()-groups to be lost when a subsequent sort() was used, and also made grouping-based charts (bar, pie, heat map) unusable in such cases.

Fixed an issue where queries could fail when the requests within the cluster were more than 8 MB each.

Previously parsing packages was very strict, falling when detecting unsupported files. This is no longer the case, unsupported files will now be ignored and won't stop the package from installing.

Reduced memory usage for queries that include noResultUntilDone: true in their inputs. This reduces memory usage in queries that do "export" of an aggregate result via the Query API, as well as the "inner" queries in joins, and queries from scheduled searches.

Add UI for enabling and disabling social logins on the identity providers page.

When searching for queries using the Query Monitor in Cluster Administration you can now filter queries based on internal and external query IDs.

Fixed an issue where wordwrap did not work in the Inspect Panel.

The Single Value color threshold list could get into a state where you could not type threshold values into the four text fields.

The Apply Filter button on the dashboard correctly applies the typed filter again.

We have removed the @host field from the humio-activity logs and the #host tag from the humio-audit log, as we can no longer provide meaningful values for these. The @host field in the humio-metrics logs will remain, but its value will be changed to the vhost id (an integer number).

Fixed an issue where delete events from a minisegment could result in the merge of those minisegments into the resulting target segment never got executed.

The feature flag for FDR feeds has been removed. FDR feeds are now generally available.

Fixed a broken link to the documentation for Message Templates and Variables when editing alerts and scheduled searches.

A major change has been made to how alert queries are run in order to better reuse live queries when nodes are restarted in a Humio cluster. Find more details at Alerts.

Deprecates the defaultSharedTimeIsLive input field on the updateDashboard GraphQL mutation, in favor of updateFrequency.

On cloud: added a configuration on dynamic identity providers to configure if users are allowed to be lazily created.

New dynamic configuration MinimumHumioVersion, default value is 0.0.0, that allows setting a minimum Humio version that this cluster will accept starting on. This allows protecting against inadvertently later rolling back too far for some other feature to be turned on, that has an implied minimum version for support of that feature.

Improved warning message when using groupBy() with limit=max and the limit is exceeded.

Added support for writing H in place of minutes in the cron schedule of scheduled searches — see Cron Schedule Templates for details.

In case view is not found we will try to fixup the cache on all cluster nodes.

Added new system permission, PatchGlobal, enabling access to the global patch API.

Allow any root user and any user with the PatchGlobal permission to use the global patch API. Previously required using the server-local special bootstraps root token, that would be valid only on the local node, thus hard to use via a load balancer.

Permit the first character in the field name of a field being turned into a tag to be anything. If the first character does not match [a-zA-Z] then strip that from the resulting tag name. This does not alter the set of allowed names for tags, but allows the field names being turned into tags to have any character as the leading one, e.g. permitting examples such as &path and *path as field names to turn into the tag #path.

With the new implementation for running alerts, alerts will now start faster after a node has been restarted, making it easier for alerts with a small search interval to be able to alert on events during the downtime.

When saving a parser, validate that the fields designated as tag fields have names that are valid as tag field names. Since packages with invalid parsers cannot be installed, if you have an invalid parser in a package, you will need to edit it to keep being able to install it.

Fixed a bug where a dropdown for choosing a parser was not visible in a dialog when creating a new FDR feed.

Fixed a bug in the computation of query metadata that is used by the UI, which, for example, caused problems showing pie charts with queries containing both groupBy() and top().

Fixed an error when querying for actions in GraphQL on a deleted view.

Fixes a bug where a placeholder would appear for the region selector on the login pages, even though it itself wouldn't be shown since it has no configured regions.

Fixed an issue where LogScale could log secrets to the debug log when configured to use LDAP or when configured to use SSL for Kafka.

Fixed a bug in decryption code used when decrypting downloaded files from bucket storage when version-for-bucket-writes=3. The bug did not allow to decrypt files larger than 2GB.

Fixed a bug where certain queries would make it seem that all widgets were incompatible, even though the table view still works.

Importing a dashboard with Shared time enabled and Live disabled would import the dashboard with Live enabled. Likewise, when creating a new dashboard from a template, Live would be on.

Fixed an issue where some segments could stall the background process implementing event redaction. This could then result in segments not being merged. The visible symptom would be segments with topOffset attribute being -1, and MiniSegmentMergeLatencyLoggerJob logging that some segments are not being merged.

Fix a regression introduced in 1.46.0 that can cause Humio to fail to properly replay data from Kafka when a node is restarted.

The Apply Filter button on the dashboard correctly applies the typed filter again.

Fixed a recent bug which caused the category links from groupBy()-groups to be lost when a subsequent sort() was used, and also made grouping-based charts (bar, pie, heat map) unusable in such cases.

Fixed a bug related to query result metadata for some functions when used as the last aggegate function in a query.

Fixed an issue where queries could fail when the requests within the cluster were more than 8 MB each.

Fixed an issue for ephemeral disk based installs where segment files could stay longer on local disks than they were required to, in cases where some nodes listed in the cluster were not alive for extended periods of time.

Added environment variable FDR_USE_PROXY which makes the fdr job use the proxy settings specified with: HTTP_PROXY_* environment variables.

FDR polling is now turned on by default. Whether FDR polling should be turned on or off on a node can be configured using the ENABLE_FDR_POLLING_ON_NODE configuration variable.

If Humio fails to start because the cluster is being upgraded, a dedicated message will show when launching the UI.

When editing an email action in the UI and adding multiple recipients, it is now possible to add a space after the comma in the comma-separated list of recipients.

Toggle switches anywhere in the UI are now tabbable and can be accessed using the keyboard.

Adds an icon and a hint to a disabled side navigation menu item that tells the user the reason for it being disabled.

In lists of users, with user avatars containing user initials, the current user would sometimes appear to have an opening parenthesis as their last initial.

The design of the Time Selector has been updated, and it now features an Apply button on the dashboard page. See Time Interval Settings.

New styling of errors on search and dashboard pages.

Field columns now support multiple formatting options. See Formatting Columns for details.

Improved keyboard accessibility for creating repositories and views.

The Save As... button is now always displayed on the Search page, see it described at Saving a Search.

Add missing accessibility features to the login page.

The Live checkbox is now no longer checked automatically when changing the value of the time window in the Time Selector. See Expanding Time Frame for details.

All documentation links have been updated after the documentation site has been restructured. Please contact support, if you experience any broken links.

Fixed a bug where an alert with name longer than 50 characters could not be edited.

Introduced new dynamic configuration LiveQueryMemoryLimit. It can be set using graphQL. See Limits for details.

Improved error messaging of GraphQL queries and mutations for alerts, scheduled searches and actions in cases where a given repository or view cannot be found.

Added a GraphQL mutation for testing an action. It is still in preview, but it will replace the equivalent REST endpoint soon.

Expose a new GraphQL type with feature flag descriptions and whether they are experimental.

The GQL API mutation updateDashboard has been updated to take a new argument updateFrequency which can currently only be NEVER or REALTIME, which correspond respectively to "dashboard where queries are never updated after first completion" and "dashboard where query results are updated indefinitely".

Added preview fields isClusterBeingUpdated and minimumNodeVersion to the GraphQL Cluster object type.

Added a new dynamic configuration flag QueryResultRowCountLimit that globally limits how many results (events) a query can return. This flag can be set by administrators through graphQL. See Limits for more details.

Introduced new dynamic configuration StateRowLimit. It can be set using graphQL. See Limits for details.

Added a new dynamic configuration GroupDefaultLimit. This can be done through GraphQL. See Limits for details. If you've changed the value of MAX_STATE_LIMIT, we recommend that you also change GroupDefaultLimit and GroupMaxLimit to the same value for a seamless upgrade, see groupBy() for details.

Introduced new dynamic configuration QueryMemoryLimit. It can be set using graphQL. See also LiveQueryMemoryLimit for live queries. For more details, see Limits.

Introduced new dynamic configuration JoinRowLimit. It can be set using graphQL and can be used as an alternative to the environment variable MAX_JOIN_LIMIT. If the JoinRowLimit is set, then its value will be used instead of MAX_JOIN_LIMIT. If it is not set, then MAX_JOIN_LIMIT will be used.

Introduced new dynamic configuration GroupMaxLimit. It can be set using graphQL. See Limits for details.

Improve the error message if Humio is configured to use bucket storage, but the credentials for the bucket are not configured.

Detect need for higher autoshard count by monitoring ingest request flow in the cluster. Dynamically increase the number of autoshards for each datasource to keep flow on each resulting shard below approximately 2MB/s. New DynamicConfig for this that sets the target maximum rate of ingest for each shard of a datasource: TargetMaxRateForDatasource. Default value is 2000000 (2 MB).

Bucket storage now has support for a new format for the keys (file names) for the files placed in the bucket. When the new format is applied, listing of files only happens for the prefixes "tmp/" and "globalsnapshots/". This help products such a "HCP". The new format is applied only to buckets created after the DynamicConfig BucketStorageKeySchemeVersion has been set to "2". Existing cluster can start using the new format for new files by setting the DynamicConfig. The change will take effect after restarting the cluster. When creating a new Humio clusters, the new format is the default. The new format is supported only on Humio version 1.41+.

Add environment variable EULA_URL to specificy url for terms and conditions.

New file format for files uploaded to bucket storage that allows files larger than 2GB to be written to bucket storage. This may be turned on by setting the DynamicConfig BucketStorageWriteVersion to "3". When creating a new Humio clusters, the new format is the default. The new format is supported only on Humio version 1.41+.

New configurations BUCKET_STORAGE_SSE_COMPATIBLE that makes bucket storage not verify checksums of raw objects after uploading to an S3. This option is turned on automatically is KMS is enabled (see S3_STORAGE_KMS_KEY_ARN) but is available directly here for use with other S3 compatible providers where verfying even content length does not work.

Mini segments usually get merged if their event timestamps span more than MAX_HOURS_SEGMENT_OPEN. Mini segments created as part of backfilling did not follow this rule, but will now get merged if their ingest timestamps span more than MAX_HOURS_SEGMENT_OPEN.

Added a link to humio-activity repository for debugging IDP configurations to the page for setting up the same.

Adds a new metric for measuring the merge latency, which is defined as the latency between the last minisegment being written in a sequence with the same merge target, and those minisegments being merged. The metric name is segment-merge-latency-ms.

Change default value for configuration AUTOSHARDING_MAX from 16 to 128.

Default value of configuration variable S3_ARCHIVING_WORKERCOUNT raised from 1 to (vCPU/4).

Adds a new logger job that logs the age of an unmerged miniSegment if the age exceeds the threshold set by the env variable MINI_SEGMENT_MAX_MERGE_DELAY_MS_BEFORE_WARNING. The default value of MINI_SEGMENT_MAX_MERGE_DELAY_MS_BEFORE_WARNING is 2 x MAX_HOURS_SEGMENT_OPEN. MAX_HOURS_SEGMENT_OPEN defaults to 24 hours. The error log produced looks like: Oldest unmerged miniSegment is older than the threshold thresholdMs={value} miniSegmentAgeMs={value} segment={value}.

Added a new environment variable GLOB_MATCH_LIMIT which sets the maximum number of rows for csv_file in match(..., file=csv_file, glob=true) function. Previously MAX_STATE_SIZE was used to determine this limit. The default value of this variable is 20000. If you've changed the value of MAX_STATE_SIZE, we recommend that you also change GLOB_MATCH_LIMIT to the same value for a seamless upgrade.

Support for KMS on S3 bucket for Bucket Storage. Specify full ARN of the key. The key_id is persisted in the internal BucketEntity so that a later change of the ID of the key to use for uploads will make Humio still refer the old keyID when downloading files uploaded using the previous key. Setting a new value for the target key results in a fresh internal bucket entity to track which files used kms and which did not. For simplicity it is recommended to not mix KMS and non-KMS configurations on the same S3 bucket.

The widget legend column width is now based on the custom series title (if specified) instead of the original series name.

Added empty states for all widget types that will be rendered when there are no results.

Dashboards can now be configured to not update after the initial search has completed. This mode is mainly meant to be used when a dashboard is interactive and not for wall-mounted monitors that should update continually. The feature can be accessed from the Dashboard properties panel when a dashboard is put in edit-mode. See Working in Edit Mode.

The Normalize option for the World Map widget has been replaced by a third magnitude mode named None, which results in fixed size and opacity for all marks.

Single Value widget new configuration: deprecated field use-colorised-thresholds in favor of color-method.

Single Value widget Editor: the configuration option Enable Thresholds is being replaced by an option called Method under the Colors section.

Pie Chart widget now uses the first column for the series as a fall back option.

Note widget:

Introducing the Heatmap widget that visualizes aggregated data as a colorised grid.

Applied stylistic changes for the Inspect Panel used in Widget Editor.

Sorting of Pie Chart widget categories, descending by value. Categories grouped as Others will always be last.

Table widgets will now break lines for newline characters in columns.

The Dashboard page now displays the current cluster status.

Single Value widget:

Bar Chart widget:

Better handling of dashboard connections issues during restarts and upgrades.

When importing existing dashboard with a static Shared time, recent changes in the time selection would make those dashboards live.

The Pie Chart widget now uses the first column for the series as a fall back option.

The Log Collector download page has been enabled for on-prem deployments.

Added validation to the field and key parameters of the join() function, so empty lists will be rejected with a meaningful error message.

Added validation to the field parameter of the kvParse() function, so empty lists will be rejected with a meaningful error message.

Improved the phrasing of the warning shown when groupBy() exceeds the max or default limit.

The groupBy() function now accepts max as value for the limit parameter, which sets the limit to the largest allowed value (as configured by the dynamic configuration GroupMaxLimit).

Fix a bug that could cause Humio to spuriously log errors warning about segments not being merged for datasources doing backfilling.

Improved performance of NDJSON format in S3 Archiving.

All feature flags now contains a textual description about what features are hidden behind the flag.

Compute next set of Prometheus metrics only in a single thread concurrently. If more requests arrive, then the next request gets the previous response.

Add warning when a multitenancy user is changing data retention on an unlimited repository.

Added a log line for when a query exceeds its allotted memory quota.

Added a new action type that creates a CSV file from the query result and uploads it to Humio to be used with the match() query function. See Upload File.

The referrer meta tag for Humio has been changed from no-referrer to same-origin.

Bump the version of the Monaco code editor.

Fix a bug causing Humio's digest coordinator to allow nodes to take over digest without catching up to the current leader. This could cause the new leader to replay more data from Kafka than necessary.

Adds a logger job for cluster management stats it log the stats every 2 minutes, which makes them searchable in Humio.

The logs belong to the class c.h.c.ClusterManagementStatsLoggerJob, logs for all segments contains globalSegmentStats log about singular segments starts with segmentStats.

Fixed an issue where query auto-completion sometimes wouldn't show the documentation for the suggested functions.

Adds a new metric for the temp disk usage. The metric name is temp-disk-usage-bytes and denotes how many bytes are used.

Make a number of improvements to the digest partition coordinator. The coordinator now tries harder to avoid assigning digest to nodes that are not caught up on fetching segments from the other nodes. It also does a better job unassigning digest from dead nodes in edge cases.

Humio now logs digest partition assignments regularly. The logs can be found using the query class=*DigestLeadershipLoggerJob*.

Added a log message with the maximum state size seen by the live part of live queries.

All users will not have access to the audit log or search all view by default anymore. Access can be granted with permissions.

Added detection and handling of all queries being blocked during Humio upgrades.

Added a log of the approximate query result size before transmission to the frontend, captured by the approximateResultBeforeSerialization key.

Remove remains of default groups and roles. The concept was replaced with UserRoles.

Fix an unhandled IO exception from TempDirUsageJob. The consequence of the uncaught exception was only noise in the error log.

Streaming queries that fail to validate now return a message of why validation failed.

The audit log system repository on Cloud has been replaced with a view, so that dashboards etc. can be created on top of audit log data.

Make BucketStorageUploadJob only log at info level rather than error if a segment upload fails because the segment has been removed from the host. This can happen if node X tries to upload a segment, but node Y beats it to the punch. Node X may then choose to remove its copy before the upload completes.

When unregistering a node from a cluster, return a validation error if it is still alive. Hosts should be shut down before attempting to remove them from the cluster. This validation can be skipped using the same accept-data-loss parameter that also disables other validations for the unregistration endpoint.

Include the requester in logs from QuerySessions when a live query is restarted or cancelled.

Java in the docker images no longer has the cap_net_bind_service capability and thus Humio cannot bind directly to privileged ports when running as a non-root user.

Add flag whether a feature is experimental.

FDR Ingest will no longer fail on events that are larger than the maximum allowed event size. Instead, such messages will be truncated.

Fix the dropdown menus closing too early on the home page.

When viewing the events behind e.g. a Time Chart, the events will now only display with the @timestamp and @rawstring columns.

Fixed a bug where the "=" and "/=" buttons did not appear on cells in the event list where they should.

Prevent the UI showing errors for smaller connection issues while restarting.

Intermediate network issues are not reported immediately as an error in the UI.

Websocket connections are now kept open when transitioning pages, and are used more efficiently for syntax highlighting.

Fixed an issue where some warnings would show twice.

Cloud: Updated the layout for license key page.

Fix the assets GraphQL query in organizations with views that are not 1-to-1 linked.

Fixed an issue where event forwarding still showed as beta.

Fixed an issue where delete events from a minisegment could result in the merge of those minisegments into the resulting target segment never got executed.

Index in block needs reading from blockwriter before adding each item.

Fixed a bug where the @id field of events in live query were off by one.

Fixed a bug that could result in merging small ("undersized") segments even if the resulting segment would then have a wider than desired time span. The goal it to not produce segments that span more than the 10% of the retention setting for time for the repository. If no time-based retention is configured on the repository, then 3 times the value of configuration variable MAX_HOURS_SEGMENT_OPEN is applied as limit. For default settings, that results in 72 hours.

The theme toggle on a shared dashboard was moved to the header panel and no longer overlaps with any widgets.

The Time Chart widget regression line is no longer affected by the interpolation setting.

Fixed a bug where using eval as an argument to a function would result in a confusing error message.

Revised some of the error messages and warnings regarding join() and selfJoin().

Fixed a bug where the writeJson() function would write any field starting with a case-insensitive inf or infinity prefix as a null value in the resulting JSON.

Fixed a bug where ioc:lookup() would sometimes give incorrect results when negated.

Bump woodstox to address SNYK-JAVA-COMFASTERXMLWOODSTOX-2928754.

Fix a bug that could cause a NumberFormatException to be thrown from ZookeeperStatsClient.

Fix type in Unregisters node text on cluster admin UI.

Fix an issue causing Humio to create a large number of temporary directories in the data directory.

Fixed an issue where JSON parsing on ingest and in the query language was inefficient for large JSON objects.

Fix an issue that could rarely cause exceptions to be thrown from Segments.originalBytesWritten, causing noise in the log.

Fixed an issue where query auto-completion would sometimes delete existing parentheses.

Centralise decision for names of files in bucket, allow more than one variant.

Improved hover messages for strings.

Fix a bug causing digesters to continue digesting even if the local disk is full. The digester will now pause digesting and error log if this occurs.

Fix a bug where changing a role for a user under a repository would trigger infinite network requests.

If a segment is deleted or otherwise disappears from global while Humio is attempting to upload it to bucket storage, the upload will now be dropped with an info-level log, rather than requeued with an error log.

Upgrade Kafka to 3.2.0 in the docker images, and in the Humio dependencies.

Fixed a bug where multiline comments weren't always highlighted correctly.

Fix an issue causing the event forwarding feature to incorrectly reject topic names that contained a dash (-).

Fix response entities not being discarded in error cases for the proxyqueryjobs endpoint, which could cause warnings in the log.

Make streaming queries search segments newest-to-oldest rather than oldest-to-newest. Streaming queries do not ensure the order of exported events anyway, and searching newest-to-oldest is more efficient.

Improve file path handling in DiskSpaceJob to eliminate edge cases where the job might not have been able to tell if a file was on primary or secondary storage.

Fix performance issue for users with access to many views.

Some errors messages wrongly pointed to the beginning of the query.

Fixed an issue where strings like Nana and Information could be interpreted as NaN (not-a-number) and infinity, respectively.

Humio will now clean up its tmp directories by deleting all "humiotmp" directories in the data directory when terminating gracefully.

Fix a regression in the launcher script causing JVM_LOG_DIR to not be evaluated relative to the Humio base install path. All paths in the launcher script should now be relative to the base install path, which is the directory containing the bin folder.

Fix a bug that could cause merge targets to be cached indefinitely if the associated minis had their mergeTarget unset. The effect was a minor memory leak.

Fix a bug that could cause Humio to attempt to merge minisegments from one datasource into a segment in another datasource, causing an error to be thrown.

When configuring thread priorities, Humio will no longer attempt to call the native setpriority function. It will instead only call the Java API for setting thread priority.

Fixes the placement of a confirmation dialog when attempting to change retention.

Update org.json:json to address a vulnerability that could cause stack overflows.

When editing an email action in the UI and adding multiple recipients, it is now possible to add a space after the comma in the comma-separated list of recipients.

Adds an icon and a hint to a disabled side navigation menu item that tells the user the reason for it being disabled.

The design of the Time Selector has been updated, and it now features an Apply button on the dashboard page. See Time Interval Settings.

All documentation links have been updated after the documentation site has been restructured. Please contact support, if you experience any broken links.

The GQL API mutation updateDashboard has been updated to take a new argument updateFrequency which can currently only be NEVER or REALTIME, which correspond respectively to "dashboard where queries are never updated after first completion" and "dashboard where query results are updated indefinitely".

Dashboards can now be configured to not update after the initial search has completed. This mode is mainly meant to be used when a dashboard is interactive and not for wall-mounted monitors that should update continually. The feature can be accessed from the Dashboard properties panel when a dashboard is put in edit-mode. See Working in Edit Mode.

Added validation to the field and key parameters of the join() function, so empty lists will be rejected with a meaningful error message.

Added validation to the field parameter of the kvParse() function, so empty lists will be rejected with a meaningful error message.

Improved the phrasing of the warning shown when groupBy() exceeds the max or default limit.

Added validation to the field parameter of the top() function, so empty lists will be rejected with a meaningful error message.

Added a new action type that creates a CSV file from the query result and uploads it to Humio to be used with the match() query function. See Upload File.

Fixed an issue where query auto-completion sometimes wouldn't show the documentation for the suggested functions.

Humio now logs digest partition assignments regularly. The logs can be found using the query class=*DigestLeadershipLoggerJob*.

Streaming queries that fail to validate now return a message of why validation failed.

Fix the assets GraphQL query in organizations with views that are not 1-to-1 linked.

Fixed an issue where validation of +/- Infinity as integer arguments would crash.

Fixed an issue where event forwarding still showed as beta.

Fixed an issue where join() would not produce the correct results when mode=left was set.

Fix an issue causing Humio to create a large number of temporary directories in the data directory.

Fixed an issue where JSON parsing on ingest and in the query language was inefficient for large JSON objects.

Fix an issue that could rarely cause exceptions to be thrown from Segments.originalBytesWritten, causing noise in the log.

Fixed an issue where query auto-completion would sometimes delete existing parentheses.

Fix performance issue for users with access to many views.

The Save As... button is now always displayed on the Search page, see it described at Saving a Search.

Fixed a bug where an alert with name longer than 50 characters could not be edited.

The groupBy() function now accepts max as value for the limit parameter, which sets the limit to the largest allowed value (as configured by the dynamic configuration GroupMaxLimit).

Parser installation will now be ignored when installing a package into a system repository.

Fix an unhandled IO exception from TempDirUsageJob. The consequence of the uncaught exception was only noise in the error log.

Make BucketStorageUploadJob only log at info level rather than error if a segment upload fails because the segment has been removed from the host. This can happen if node X tries to upload a segment, but node Y beats it to the punch. Node X may then choose to remove its copy before the upload completes.

Java in the docker images no longer has the cap_net_bind_service capability and thus Humio cannot bind directly to privileged ports when running as a non-root user.

Fixed an issue where some warnings would show twice.

Revised some of the error messages and warnings regarding join() and selfJoin().

Fix a bug that could cause a NumberFormatException to be thrown from ZookeeperStatsClient.

Fixed an issue where strings like Nana and Information could be interpreted as NaN (not-a-number) and infinity, respectively.

Updated styling on the log in pages.

Add missing accessibility features to the login page.

The Live checkbox is now no longer checked automatically when changing the value of the time window in the Time Selector. See Expanding Time Frame for details.

Expose a new GraphQL type with feature flag descriptions and whether they are experimental.

All feature flags now contains a textual description about what features are hidden behind the flag.

Added detection and handling of all queries being blocked during Humio upgrades.

Include the requester in logs from QuerySessions when a live query is restarted or cancelled.

Add flag whether a feature is experimental.

When viewing the events behind e.g. a Time Chart, the events will now only display with the @timestamp and @rawstring columns.

The theme toggle on a shared dashboard was moved to the header panel and no longer overlaps with any widgets.

Fix response entities not being discarded in error cases for the proxyqueryjobs endpoint, which could cause warnings in the log.

Fixes the placement of a confirmation dialog when attempting to change retention.

FDR polling is now turned on by default. Whether FDR polling should be turned on or off on a node can be configured using the ENABLE_FDR_POLLING_ON_NODE configuration variable.

If Humio fails to start because the cluster is being upgraded, a dedicated message will show when launching the UI.

Introduced new dynamic configuration LiveQueryMemoryLimit. It can be set using graphQL. See Limits for details.

Added preview fields isClusterBeingUpdated and minimumNodeVersion to the GraphQL Cluster object type.

Added a new dynamic configuration flag QueryResultRowCountLimit that globally limits how many results (events) a query can return. This flag can be set by administrators through graphQL. See Limits for more details.

Introduced new dynamic configuration StateRowLimit. It can be set using graphQL. See Limits for details.

Added a new dynamic configuration GroupDefaultLimit. This can be done through GraphQL. See Limits for details. If you've changed the value of MAX_STATE_LIMIT, we recommend that you also change GroupDefaultLimit and GroupMaxLimit to the same value for a seamless upgrade, see groupBy() for details.

Introduced new dynamic configuration QueryMemoryLimit. It can be set using graphQL. See also LiveQueryMemoryLimit for live queries. For more details, see Limits.

Introduced new dynamic configuration JoinRowLimit. It can be set using graphQL and can be used as an alternative to the environment variable MAX_JOIN_LIMIT. If the JoinRowLimit is set, then its value will be used instead of MAX_JOIN_LIMIT. If it is not set, then MAX_JOIN_LIMIT will be used.

Introduced new dynamic configuration GroupMaxLimit. It can be set using graphQL. See Limits for details.

New configurations BUCKET_STORAGE_SSE_COMPATIBLE that makes bucket storage not verify checksums of raw objects after uploading to an S3. This option is turned on automatically is KMS is enabled (see S3_STORAGE_KMS_KEY_ARN) but is available directly here for use with other S3 compatible providers where verfying even content length does not work.

Mini segments usually get merged if their event timestamps span more than MAX_HOURS_SEGMENT_OPEN. Mini segments created as part of backfilling did not follow this rule, but will now get merged if their ingest timestamps span more than MAX_HOURS_SEGMENT_OPEN.

Support for KMS on S3 bucket for Bucket Storage. Specify full ARN of the key. The key_id is persisted in the internal BucketEntity so that a later change of the ID of the key to use for uploads will make Humio still refer the old keyID when downloading files uploaded using the previous key. Setting a new value for the target key results in a fresh internal bucket entity to track which files used kms and which did not. For simplicity it is recommended to not mix KMS and non-KMS configurations on the same S3 bucket.

Applied stylistic changes for the Inspect Panel used in Widget Editor.

Table widgets will now break lines for newline characters in columns.

Fix a bug that could cause Humio to spuriously log errors warning about segments not being merged for datasources doing backfilling.

Compute next set of Prometheus metrics only in a single thread concurrently. If more requests arrive, then the next request gets the previous response.

The referrer meta tag for Humio has been changed from no-referrer to same-origin.

Improved performance of validation of keys in tags.

All users will not have access to the audit log or search all view by default anymore. Access can be granted with permissions.

The audit log system repository on Cloud has been replaced with a view, so that dashboards etc. can be created on top of audit log data.

Fixed a bug where using eval as an argument to a function would result in a confusing error message.

Fix type in Unregisters node text on cluster admin UI.

In lists of users, with user avatars containing user initials, the current user would sometimes appear to have an opening parenthesis as their last initial.

New styling of errors on search and dashboard pages.

Improved error messaging of GraphQL queries and mutations for alerts, scheduled searches and actions in cases where a given repository or view cannot be found.

The widget legend column width is now based on the custom series title (if specified) instead of the original series name.

Added empty states for all widget types that will be rendered when there are no results.

Introducing the Heatmap widget that visualizes aggregated data as a colorised grid.

Sorting of Pie Chart widget categories, descending by value. Categories grouped as Others will always be last.

Better handling of dashboard connections issues during restarts and upgrades.

Fix a bug causing Humio's digest coordinator to allow nodes to take over digest without catching up to the current leader. This could cause the new leader to replay more data from Kafka than necessary.

Make a number of improvements to the digest partition coordinator. The coordinator now tries harder to avoid assigning digest to nodes that are not caught up on fetching segments from the other nodes. It also does a better job unassigning digest from dead nodes in edge cases.

Remove remains of default groups and roles. The concept was replaced with UserRoles.

When unregistering a node from a cluster, return a validation error if it is still alive. Hosts should be shut down before attempting to remove them from the cluster. This validation can be skipped using the same accept-data-loss parameter that also disables other validations for the unregistration endpoint.

FDR Ingest will no longer fail on events that are larger than the maximum allowed event size. Instead, such messages will be truncated.

Intermediate network issues are not reported immediately as an error in the UI.

Fixed a bug that could result in merging small ("undersized") segments even if the resulting segment would then have a wider than desired time span. The goal it to not produce segments that span more than the 10% of the retention setting for time for the repository. If no time-based retention is configured on the repository, then 3 times the value of configuration variable MAX_HOURS_SEGMENT_OPEN is applied as limit. For default settings, that results in 72 hours.

Fixed a bug where the writeJson() function would write any field starting with a case-insensitive inf or infinity prefix as a null value in the resulting JSON.

Upgrade Kafka to 3.2.0 in the docker images, and in the Humio dependencies.

Adds a new metric for measuring the merge latency, which is defined as the latency between the last minisegment being written in a sequence with the same merge target, and those minisegments being merged. The metric name is segment-merge-latency-ms.

Adds a new logger job that logs the age of an unmerged miniSegment if the age exceeds the threshold set by the env variable MINI_SEGMENT_MAX_MERGE_DELAY_MS_BEFORE_WARNING. The default value of MINI_SEGMENT_MAX_MERGE_DELAY_MS_BEFORE_WARNING is 2 x MAX_HOURS_SEGMENT_OPEN. MAX_HOURS_SEGMENT_OPEN defaults to 24 hours. The error log produced looks like: Oldest unmerged miniSegment is older than the threshold thresholdMs={value} miniSegmentAgeMs={value} segment={value}.

Note widget:

The Bar Chart widget now works with bucket query results.

The Pie Chart widget now uses the first column for the series as a fall back option.

Bump the version of the Monaco code editor.

Added a log message with the maximum state size seen by the live part of live queries.

Fix the dropdown menus closing too early on the home page.

Websocket connections are now kept open when transitioning pages, and are used more efficiently for syntax highlighting.

The Time Chart widget regression line is no longer affected by the interpolation setting.

Bump woodstox to address SNYK-JAVA-COMFASTERXMLWOODSTOX-2928754.

Fix a bug causing digesters to continue digesting even if the local disk is full. The digester will now pause digesting and error log if this occurs.

Make streaming queries search segments newest-to-oldest rather than oldest-to-newest. Streaming queries do not ensure the order of exported events anyway, and searching newest-to-oldest is more efficient.

Some errors messages wrongly pointed to the beginning of the query.

Toggle switches anywhere in the UI are now tabbable and can be accessed using the keyboard.

Improved keyboard accessibility for creating repositories and views.

Introduced new dynamic configuration flags query-memory-limit. It can be set using graphQL. The flag replaces the environment variable MAX_MEMORY_FOR_REDUCE, so if you have changed the value of MAX_MEMORY_FOR_REDUCE, please use query-memory-limit now instead. See Limits for more details.

Introduced new dynamic configuration flag state-row-limit. It can be set using graphQL. The flag can be used as an alternative to the environment variable MAX_STATE_LIMIT. If state-row-limit is set, then its value will be used instead of MAX_STATE_LIMIT. If it is not set, then MAX_STATE_LIMIT will be used.

Introduced new dynamic configuration flag join-row-limit. It can be set using graphQL. The flag can be used as an alternative to the environment variable MAX_JOIN_LIMIT. If the join-row-limit flag is set, then its value will be used instead of MAX_JOIN_LIMIT. If it is not set, then MAX_JOIN_LIMIT will be used.

Added a link to humio-activity repository for debugging IDP configurations to the page for setting up the same.

Added a new environment variable GROUPBY_DEFAULT_LIMIT which sets the default value for the limit parameter of groupBy(). See groupBy() documentation for details.

Default value of configuration variable S3_ARCHIVING_WORKERCOUNT raised from 1 to (vCPU/4).

The Normalize option for the World Map widget has been replaced by a third magnitude mode named None, which results in fixed size and opacity for all marks.

The dashboards page now displays the current cluster status.

Single Value widget:

Bar Chart widget:

The Log Collector download page has been enabled for on-prem deployments.

Improved performance of NDJSON format in S3 Archiving.

Add warning when a multitenancy user is changing data retention on an unlimited repository.

Adds a logger job for cluster management stats it log the stats every 2 minutes, which makes them searchable in Humio.

The logs belong to the class c.h.c.ClusterManagementStatsLoggerJob, logs for all segments contains globalSegmentStats log about singular segments starts with segmentStats.

Adds a new metric for the temp disk usage. The metric name is temp-disk-usage-bytes and denotes how many bytes are used.

Added a log of the approximate query result size before transmission to the frontend, captured by the approximateResultBeforeSerialization key.

Fix a bug where changing a role for a user under a repository would trigger infinite network requests.

If a segment is deleted or otherwise disappears from global while Humio is attempting to upload it to bucket storage, the upload will now be dropped with an info-level log, rather than requeued with an error log.

Fixed a bug where multiline comments weren't always highlighted correctly.

Fix an issue causing the event forwarding feature to incorrectly reject topic names that contained a dash (-).

Improve file path handling in DiskSpaceJob to eliminate edge cases where the job might not have been able to tell if a file was on primary or secondary storage.

Update org.json:json to address a vulnerability that could cause stack overflows.

Fix performance issue for users with access to many views.

The Save As... button is now always displayed on the Search page.

Updated dependencies to woodstox to fix a vulnerability.

Compute next set of Prometheus metrics only in a single thread concurrently. If more requests arrive, then the next request gets the previous response.

Improved error logging, when an FDR feed fails to download data from an S3 bucket. It now clearly states when a download failed because the S3 bucket is located in a different region than the SQS queue.

Added the fdr-message-count metric, which contains the approximate number of messages on an FDR feed's SQS queue.

Added the fdr-invisible-message-count metric, which contains the approximate number of invisible messages on an FDR feed's SQS queue.

The Format Panel is now available for changing the style of the data displayed in the Event list — see Changing the Data Display.

Both the Scatter Chart and the Bar Chart widgets now support automatically adding/toggling axis and legend titles based on the mapped data.

The Fields Panel now enables you to fetch fields beyond those from the last 200 events — see Adding and Removing Fields.

Improve the error message if Humio is configured to use bucket storage, but the credentials for the bucket are not configured.

The Gauge widget is being deprecated in favour of the Single Value widget. Configurations of the former widget are compatible with the latter. This means that persisted configurations of the Gauge widget (url / dashboard widgets / saved queries / recent queries) are still valid, but are visualised using the Single Value widget instead.

The Single Value widget is now available. Construct a query which returns any single value, or use the timeChart() query function to create a single-value widget instance with sparkline and trend indicators.

The Humio Log Collector can now be downloaded from the Organizational Settings page, see the Log Collector Documentation for a complete list of the supported logs formats and operating systems.

ioc:lookup() would sometimes give incorrect results when negated.

worldMap() accepts more magnitude functions, anonymous functions and the percentile() function.

worldMap() will warn about licensing issues with IP database.

sankey() now accepts more weight functions such as anonymous functions and the percentile() function.

When cleaning up a deleted data space, don't error log if two nodes race to delete the data space metadata from global.

Fixed an issue where a scheduled search could trigger actions multiple times for the same time period if actions took a long time to finish.

Ensured that errors during view tombstone removal are logged and don't prevent the RetentionJob from performing other cleanup tasks.

Logging to the humio-activity repository is now also done for events in sandbox repositories.

Fixed an underlying bug causing addToExistingJob did not find the existing job to be error logged unnecessarily. Humio may decide to fetch a segment from bucket storage for querying. If this decision is made right as the query is cancelled, Humio could log the message above. With this fix, Humio will instead skip downloading the segment, and not log the error.

Email actions can now add the result set as a CSV attachment.

Fixed an issue where Humio's Zookeeper monitoring page would show X/0 followers in sync.

Specifying a versionless packageId will load the newest version of that package.

Fixed an issue that if download of IOCs took more than an hour, Humio would indefinitely start a new download every hour which would eventually fail.

Using the dynamic configuration option FdrExcludedNodes, administrators can now exclude specific nodes from polling from FDR. Defaults to the empty list, so all nodes will be used for polling.

Using the dynamic configuration option FdrMaxNodes, administrators can put a cap on how many nodes should at most simultaneously poll data from the same FDR feed. Defaults to 5 nodes.

The static configuration variable ENABLE_FDR_POLLING_ON_NODE is no longer supported, as its functionality has been replaced with the dynamic configurations listed above.

It is now possible to test an FDR feed in the UI, which will test that Humio can connect to the SQS queue and the S3 bucket.

Introduced dynamic configuration options for changing FDR polling behaviour at runtime. FDR polling is not enabled by default, so you should take care to set up these new configurations after upgrading, or you will risk that your FDR data isn't ingested into Humio before it is deleted from Falcon.

Fixed an issue where exceptions in FDR were not properly logged.

Using the dynamic configuration option FdrEnable, administrators can now turn FDR polling on/off on the entire cluster with a single update. Defaults to false.

Events with JSON data can now be collapsed and expanded in the Json panel.

Added style options to either truncate or show full legend labels in widgets.

Keep empty lines in queries when exporting assets as templates or to packages.

Improvements to the Pie Chart widget, it now has a max series setting similar to the Time Chart widget.

The @timestamp column is now allowed to be moved amongst the other columns in the event list.

Syntax highlighting for XML, JSON and accesslog data now uses more distinguishable colors.

The widget dropdown can now be navigated with the keyboard.

When using a widget that is not compatible with the current data, the Reset Widget Type button now works again.

Added support in fieldstats() query function for skipping events. This is used by the UI, but only in situations where we know an approximate result is acceptable and where processing all events would be too costly.

Improvements to the Sankey Diagram widget, it now has multiple style options; show/hide the y-axis, sorting type, label position, and colors plus labels for series.

Introducing the new Scatter Chart widget (previously known as XY):

It is now possible to refer a parser by name when creating or updating an ingest listener using the GraphQL API mutations createIngestListenerV3 and updateIngestListenerV3. It is now also possible to change the repository on an ingest listener using updateIngestListenerV3. The old mutations createIngestListenerV2 and updateIngestListenerV2 have been deprecated.

Changed permission token related GraphQL endpoints to use enumerations instead of strings.

Marked experimental language features as preview in GraphQL API.

Added two new organization level permissions: DeleteAllRepositories and DeleteAllViews that allow repository and view deletion, respectively, inside an organization.

It is now possible to refer a parser by name when creating an ingest token or assigning a parser to an existing ingest token using the GraphQL API mutations addIngestTokenV3 and assignParserToIngestTokenV2. The old mutations addIngestTokenV2 and assignParserToIngestToken have been deprecated.

Added a new GraphQL mutation to rename views or repositories by ID.

Removed the following deprecated GraphQL fields: UserSettings.settings, UserSettings.isEventListOrderChangedMessageDismissed, and UserSettings.isNewRepoHelpDismissed.

The GraphQL queries and mutations for FDR feeds are no longer in preview.

Removed the deprecated clientMutationId argument from the GraphQL mutation updateSettings.

Added a GraphQL mutation deleteSearchDomainById that deletes views or repositories by ID.

Validate block CRCs before uploading segment files to bucket storage. Can be disabled by setting VALIDATE_BLOCK_CRCS_BEFORE_UPLOAD to false.

Require that {S3/GCS}_STORAGE config must be set before {S3/GCS}_STORAGE_2 is set.

Amended how Humio chooses segments to download from bucket storage when prefetching. If S3_STORAGE_PREFERRED_COPY_SOURCE is false, the prefetcher will only download segments that are not already on another host. Otherwise, it will download as many hosts as necessary to follow the configured replication factor. This should help avoid excessive bucket downloads when nodes in the cluster have lots of empty disk space.

Added a new config NATIVE_FALLOCATE_SUPPORT (default true) to allow turning off the use of fallocate and ftruncate internally.

Added a new config NATIVE_FADVICE_SUPPORT (default true) to allow turning off the use of fadvice internally.

Added a new configuration variable BUCKET_STORAGE_TRUST_POLICY for the dual-bucket use case. This setting configures which bucket is considered the "trusted" bucket when two buckets are configured, which impacts when Humio considers data to be safely replicated. Supported values are Primary for trusting the primary bucket, Secondary for trusting the secondary bucket, TrustEither for considering data safely replicated if it is in either bucket, and RequireBoth for considering data safely replicated only if it is in both buckets. This config replaces the BUCKET_STORAGE_2_TRUSTED configuration, true in the old configuration equates to Secondary in the new configuration. The default value of the new configuration is Secondary.

Improvements to the Time Chart widget:

Introducing the Single Value widget. Construct a query which returns any single value, or use the timeChart() query function to create a single-value widget instance with sparkline and trend indicators.

Improvements to the Bar Chart widget:

The findTimestamp() function now supports date formats like 23FEB2022, that is date, literal month and year without any separators in between. Other formats still require separators between the parts.

Renamed the Humio tarball distribution to humio-1.39.0.tar.gz instead of humio-release-1.39.0.tar.gz. The file now contains a directory named humio-1.39.0 instead of humio-release-1.39.0.

Fixed an issue where query cancellation could in rare cases cause the query scheduler to throw exceptions.

Humio is now more strict during a Kafka reset to avoid global desyncs. Only one node will be allowed to boot on the new epoch, remaining nodes won't be allowed to use their snapshots, and will need to fetch a fresh global snapshot from that node.

Fixed an ingest bug where we might discard @timezone and @error fields in events with too many fields. Now we always retain those and only discard other fields.

Improved distribution of new autosharded datasources.

Fixed an issue that could cause creation of two datasources for the same tag set if messages with the same tags happened to arrive on different Kafka partitions.

When calculating the starting offset in Kafka for digest, Humio will now trust that if a segment in global is listed as being in bucket storage, that segment is actually present in bucket storage. Humio no longer double checks by asking bucket storage directly.

It is no longer possible to use experimental functions in Alerts, Parsers, and Event Forwarding. They are now only available on the search page.

Fixed an issue where audit logging of alerts, scheduled searches and actions residing on views would yield incomplete or missing audit logs.

Create, update and delete operations on ingest listeners are now always audit logged. Previously, they were only logged when performed through the REST API. Also, the audit log format has been updated to be similar to the format of other assets. Look for events with the type field set to ingestlistener.create, ingestlistener.update, and ingestlistener.delete.

Adding and removing queries from the query blocklist is now audit logged as two separate audit log event types, query-blocklist-add and query-blocklist-remove, rather than the single event type blocklist.

Fixed an ingest bug where, under some circumstances, we would reverse the order of events in a batch.

The query scheduler improperly handled regex limits being hit, it should result in a warning on the query. In some cases it was handled by retrying the segment read.

Added support for restoring deleted repositories and views when using bucket storage. See Delete a Repository or View.

Fixed an issue when using bucket storage alongside secondary storage, where Humio would download files to the secondary storage but register them as present in the primary. It will now download and register them as present on the secondary storage.

Fixed how relative time is displayed.

Fixed an issue where OrganizationStatsUpdaterJob would repeatedly post the error com.humio.entities.organization.OrganizationSingleModeNotSupported: Not supported when using organizations in single mode when the cluster was configured for only one organization.

It is no longer possible to delete a parser that is used by an ingest listener. You must first assign another parser to the ingest listener.

Fixed a caching-related issue with groupBy() in live queries that would briefly cause inconsistent results.

Fixed an issue where Filebeat 8.1 would not be compatible unless output.elasticsearch.allow_older_versions was set to true.

Reduced the amount of time Humio will spend during shutdown waiting for in-progress data to flush to disk to 60 seconds from 150 seconds.

If the query scheduler attempts to read a broken segment file, it may be able to fetch a new copy from bucket storage in some cases. Humio will now only allow this if it can be guaranteed that no events from the broken segment have been added to the query result. Otherwise the query will receive a warning.

When Humio detects multiple datasources for the same set of tags, it will not deduplicate them by selecting one source to keep and marking the others replaced.

Updating alert labels using the addAlertLabel and removeAlertLabel mutations now requires the ChangeTriggersAndActions permission.

Added humio-decrypt-bucket-file.sh to the Humio bin directory. This invokes a utility for decrypting files downloaded from bucket storage.

Fixed a race condition between nodes creating the merge result for the same target segment, and also transferring it among the nodes concurrently. If a query read the file during that race, an in-memory cache of the file header might hold contents that did not match the local file, resulting in Broken segment warnings in queries.

It is now validated, that the parser supplied when creating or updating an ingest listener, exists.

Improved the phrasing of some error messages.

Improved the flow of creating a blocked query.

When logging Kafka consumer and producer metrics, Humio will now log repeated metrics like records-lag-max once per partition, with the partition specified in the partition field.

Fixed duplicate Change triggers and actions entry in view permission token page.

It is no longer possible to create ingest listeners on system repositories using the APIs. Previously, it was only prohibited in the UI.

When shared dashboards are disabled or become inaccessible because of IP filters, they will now be completely unreachable, and any dashboards already open will show an informative error message.

Humio will now periodically log node configs to the debug log, in addition to the existing log of config on node boot. These logs will come from com.humio.jobs.ConfigLoggerJob.

Webhook action now includes the 'Message Body Template' for PATCH and DELETE requests as well if it is not empty.

During ingest, if an event has too many fields we now sort the fields lexicographically and remove fields from the end. Before, there was no system to which fields were retained, it was effectively random.

It is now possible to create a view with the same name as a deleted view.

Fixed a bug where accessing a csv file with records spanning multiple lines would fail with an exception.

Webhook action has been updated to only allow the following HTTP verbs: GET, HEAD, POST, PUT, PATCH, DELETE and OPTIONS.

Fixed an issue that links in alerts from OpsGenie actions were not clickable.

Fixed bugs related to repository deletes.

Fixed an ingest bug where if multiple types of errors occurred for an event we would only add error fields describing one of them. Now we always report all errors.

Fixed an ingest bug where sometimes we wouldn't turn event fields into tags if we fell back to using the key-value parser. Now we always turn fields into tags.

Fixed an issue that could cause the query scheduler to erroneously retry searching a bucketed segment.

Added more visibility on organization limits when changing the retention settings on a repository.

Fixed an issue where an exception in rare cases could cause ingest requests to fail intermittently.

Fixed an ingest bug where, when truncating an event with too many fields, we wouldn't count error fields, leading to the event still being larger than the maximum size.

Added a feature that allows deletion of repositories and views on cloud.

Fixed an issue where download of IOCs from another node in the cluster could start before the previous download had finished, resulting in too many open connections between nodes in the cluster.

Fixed a bug with UTF-8 serialization of 4-byte codepoints (emojis etc.).

Improved distribution onto partitions of tag combinations (datasources) that are affected by auto sharding, resulting in less collisions.

Made changes to Humio's tracking of bucket storage downloads. This should avoid some rare cases where downloads could get stuck.

Automatic system removals of queries expired from the blocklist are now audit logged as well.

Added a feature that allows regular users with delete permissions on cloud to rename views and repositories.

Fixed an issue where non-default log formats such as log4j2-json-stdout.xml that logs to STDOUT were not fully in control of their output stream, as log entries of level ERROR were also printed directly to stderr from within the code. The default log4j2 configuration now includes a Console appender that prints errors to stdout, achieving the same result, while allowing the other formats to fully control their output stream.

Fixed an issue where Filebeat 8.0 would not be compatible unless setup.ilm.enabled was set to false.

Added humio-token-hashing.sh to the Humio bin directory. This invokes a utility for generating root tokens.

The REST API for ingest listeners has been deprecated.

Fixed an issue where the UI would not detect parameters in a query when using saved queries from a package.

Ingest listeners are now only stopped, not deleted, when a user deletes a repository. If the repository is restored, the ingest listener will be restarted automatically. When it is no longer possible to restore the repository, the ingest listener will be deleted.

Fixed an issue that could cause an exception to be thrown in the ingest code if digest assignment changed while a local segment file being written was still empty.

Fixed an issue where NetFlow parsing would crash if it received an options data record.

Fixed an issue where the set-replication-defaults config endpoint could attempt to assign storage to nodes configured not to store segments.

Improved performance of formatting action messages, when the query result for an alert or scheduled search contains large events.

Added a new system-level permission allowing changing the user name of a user.

Fixed an issue where some errors showed wrong positions in the search page query field.

Updated java script dependencies to fix vulnerabilities.

Updated dependencies to Jackson to fix a vulnerability.

Updated java script dependencies to fix vulnerabilities.