Falcon LogScale Documentation

Added buttons for stopping all queries, streaming queries, and historical queries from inside the query monitor.

Disable actions if permissions are handled externally.

Added maximum width to tabs on the Group page, so they do not keep expanding forever.

Added autofocus to the first field when opening a dialog using the save as functionality from the Search page.

Updated the links for Privacy Notice and Terms and Conditions.

Allow resize of columns in the event list by mouse.

Dark mode is officially deemed stable enough to be out of beta.

Validation error messages are now more precise and have improved formatting.

The overall look of message boxes in Humio has been updated.

The GraphQL field isEventForwardingEnabled on the HumioMetadata type is deprecated, as it is no longer in use internally. If you rely on this, please let us know.

Renamed the deleteEvents related GraphQL mutations and queries to redactEvents. The redactEvents API is intended for redacting sensitive data from a repository, not for bulk deletion of events. We think the new name invites fewer misunderstandings.

Added 2-phase migration that will allow old user api tokens to be used and clean global from secrets after a 30 day period.

Added three GraphQL mutations for stopping queries: stopAllQueries, stopStreamingQueries, and stopHistoricalQueries.

Added GraphQL mutation clearRecentQueries which a user can run to clear their recent queries in a specific view or repository.

Changed old personal user token implementation to hash based.

When checking if the ViewAction.EventForwarding action is allowed (with e.g. SearchDomain.isActionAllowed), the answer will now be false if the event forwarding is not enabled on the server.

Refactored query functions join(), selfJoin(), and selfJoinFilter() into user-visible and internal implementations.

The kvParse() query function can now parse unquoted empty values using the new parameter separatorPadding to specify if your data has whitespace around the key-value separator (typically =). The default is "Unknown", which will leave the functionality of the function unchanged.

Added query function math:arctan2()to the query language.

Added the communityId() function for calculating hashes of network flow tuples according to the (Community ID Spec).

Improved performance of the query functions drop() and rename() by quite a bit.

Added a minSpan parameter to timeChart() and bucket(), which can be used to specify a minimum span when using a short time interval.

Made the transfer coordinator display more clear errors instead of an internal server error for multinode clusters.

Retention based on compressed size will no longer account for segment replication.

Improved error messages when an invalid regular expression is used in replace.

Improved the error reporting when installing, updating or exporting a package fails.

Reduce limit on number of datasources for sandbox repositories created when a user is created to .0 by default.

New metric: ingest-request-delay. Histogram of ingest request time spent being delayed due to exceeding limit on concurrent processing of ingest (milliseconds).

Improved handling of multiple nodes attempting to create views with the same names at the same time, as might happen when bootstrapping a cluster.

Added checksum verification within hash filter files on read.

Improved shutdown logic slightly, helping prevent thread pools from getting stuck or logging spurious errors during shutdown.

Added Australian states to the States dropdown.

Added support in the humio event collector for organization- and system-wide ingest tokens and the ability to use a parser from a different repo than the one being ingested into.

Reword regular expression related error messages.

Minor optimization when using groupBy with a single field.

It is now possible to create actions, alerts, scheduled searches, and parsers from Yaml template files.

Added management API to put hosts in maintenance mode.

Added a precondition that ensures that the number of ingest partitions cannot be reduced.

Improved partition layout auto-balancing algorithm.

Query validation has been improved to include several errors which used to first show up after submitting search.

It is now possible to ingest logs into Humio using LogStash v.7.13 and upwards.

Added metric for the number of currently running streaming queries.

Node roles can now be assigned/removed at runtime.

Added new metric: bucket-storage-upload-latency-max. It shows the amount of time spent for the event that that has been pending for upload to bucket storage the longest.

Added "export as yaml" function to the list pages of parsers, actions and scheduled searches.

Create, update, and delete of dashboards is now audit logged.

Query editor: improved code completion of function names.

Added validation and a more clear error message for queries with a time span of 0.

A compressed segment with a size of 1GB will now always count for retention as 1 GB. Previously, a compressed segment with a size of 1GB might count for more than 1GB when calculating retention, if that segment had more replicas than configured. The effect on the retention policy was that if you had configured retention of .0GB compressed bytes, Humio might retain less than .0GB of compressed data if any of those segments had too many replicas.

Prepopulate email field when invited user is filling in a form with this information.

Alerts and scheduled searches are now enabled per default when created. The check disabling these entities if no actions are attached has been replaced with a warning, which informs a user that even though the entity is enabled, nothing will trigger since no actions are attached.

Fixed an issue where an alert would not be throttled until after its actions had completed, which could make the alert trigger multiple times shortly after each other if an action was slow. Now, the alert is throttled as soon as it triggers.

Alerts and scheduled searches are no longer run on cloud for organizations with an expired trial license, and on-prem for any expired license.

Fixed a bug in the validation of the bits parameter of hashMatch() and hashRewrite().

Fixed a bug where only part of the Users page was loading when navigating from the All organizations page.

Use a fresh (random) name for the tmp folder below the datadir to ensure that it is a proper subdir of the datadir and not a mount point.

When performing jobs triggered via the Redact Events API, Humio could restart queries for unrelated views until the delete job completed. This has been improved, so only views affected by the delete will be impacted.

Fixed an issue where the SegmentMoverJob could delete the local copy of a segment, if a pending download of the segment failed the CRC check. The job will now keep the downloaded file at a temporary path until the CRC check completes, to avoid deleting a local copy created by other jobs, e.g. by bucket downloads.

Changes to the state of IOC access on organizations are now reflected in the audit log.

Fixed an issue where sort() would cause events to be read ina non-optimal order for the entire query.

Fixed an edge case where Humio might create multiple copies of the same datasource when the number of Kafka partitions is changed. The fix ensures only one copy will be created.

Fixed a compatibility issue with Filebeat 7.16.0

Prevent unauthorized analytics requests being sent.

Remove the ability to create ingest tokens and ingest listeners on system repositories.

Fixed an issue on sandbox renaming, that would allow you to rename a sandbox and end up in a bad state.

Addressed an issue causing Humio to sometimes error log an ArrayIndexOutOfBoundsException during shutdown.

Fixed a bug with the cache not being populated between restarts on single node clusters.

The field vhost in internal Humio logging is now reserved for denoting the host logging the message. Other uses of vhost now uses the field hostId.

Fixed an issue in the interactive tutorial.

Removed a spurious warning log when requesting a non-existent hash file from S3.

Fixed incorrect results when searching through saved queries and recent queries.

Changed field type for zip codes.

When checking if the ViewAction.ChangeRepoConnections action is allowed (with e.g. SearchDomain.isActionAllowed), the answer will now be false if checked on a repository, as the action only makes sense on views.

When an alert query encounters a warning and Humio is not configured to trigger alerts despite warnings ALERT_DESPITE_WARNINGS=true the warning text will now be shown as an error message on the alert in the UI.

Fixed an issue where the web client could start queries from the beginning of time when scrolling backwards through events in the UI.

Fixed an issue where a failing event forwarder would be cached indefinitely and could negatively impact Humio performance.

Fixed a race condition that could cause Humio to delete more segments than expected when initializing a digester node.

Browser storage is now cleared when initiating while unauthenticated.

Fixed an issue where some regexes could not be used.

Fixed an issue where series() failed to serialize its state properly.

Temporary fix of issue with live queries not having first aggregator as bucket() or timeChart(), but then later in the query having those as a second aggregator. As a temporary fix, such queries will fail. In later releases, this will get fixed more properly.

Fixed an issue where missing undersized segments in a datasource might cause Humio to repeatedly transfer undersized segments between nodes.

Fixed an issue where a scheduled search failed and was retried, if it had multiple actions and at least one action was unknown to Humio. Now, the unknown action is logged, but the scheduled search completes successfully and continues to the next scheduled run.

Fixed an issue where OIDC without a discovery endpoint would fail to configure if OIDC_TOKEN_ENDPOINT_AUTH_METHOD was not set.

Fixed a number of stability issues with the event redaction job.

Changed default package type to "application" on the export package wizard.

Fixed styling issue on the search page where long errors would overflow the screen.

Fixed a bug where invalid UTF-16 characters could not be ingested. They are now converted to 'ufffd'.

Fixed an issue where the segment merger would write that the current node had a segment slightly before registering that segment in the local node.

When a digester fails to start, rather than restarting the JVM as previous releases did, keep retrying to start assuming that the issue is transient, such as data for a single ingest partition being unavailable for a short while. While in this situation the process reports the metric for ingest latency on the affected partitions as being uptime of the JVM process at this point. The idea is to signal that data is not flowing on those partitions, so that a monitored metric can raise an alarm somewhere. In lack of a proper latency in this situation, it's better to have a growing non-zero metrics than having the metrics being zero.

Fixed an issue where the segment merger could mishandle errors during merge.

Fixed an issue on on-prem trial license that would use user count limits from cloud.

Fixed an issue causing Humio running on Java 16+ to return incorrect search results when the input query contains Unicode surrogate pairs (e.g. when searching for an emoji).

Fixed an issue that in rare cases would cause login errors.

Removed error query param from URL when entering Humio.

Fixed an issue where comments spanning multiple lines wouldn't be colored correctly.

When checking if the ViewAction.ChangeS3ArchivingSettings action is allowed (with e.g. SearchDomain.isActionAllowed), the answer will now be false if checked on a view, as the action only makes sense on repositories.

Fixed a bug where query coordination partitions would not get updated.

Fixed an issue where release notes would not close when a release is open.

Fixed an issue where error messages would show wrong input.

Crash the node if any of a number of critical threads die. This should help prevent zombie nodes.

Fixed an issue where certain problems would highlight the first word in a query.

Fixed an issue where streaming (exporting) query results in JSON format could include extra "," characters within the output.

Fixed an issue where clicking on the counters of parsed events on the Parsers page would open an empty search page, except for built-in parsers. Now, it correctly shows the latest parsed events for all parsers (except package parsers).

Fixed an issue when adding a group to a repository or view than an error message is displayed when the user is not the organization owner or root.

Fixed an issue where a digest node could be unable to rejoin the cluster after being shut down if all other digest nodes were also down at the time.

Include view+parser-name in thread dumps when time is spent inside a parser.

Fixed a bug where shared lookup files could not be downloaded from the UI.

Changes to the state of backend feature flags are now reflected in the audit log.

Fixed an issue where a dashboard installed with a YAML file could be slightly different than what was specified in the file.

Fixed some widgets on dashboards reporting errors while waiting for data to load.

No longer return the "Query Plan" in responses, but return a hash in the new field hashedQueryOnView instead. The plan could leak information not otherwise visible to the user, such as query prefixes being applied.

When creating or updating an action, the backend now verifies that the host url associated with the action is prefixed with either 'http://' or 'https://'. This affects Actions of the type: Webhook, OpsGenie, Single-Channel Slack and VictorOps.

Fixed a bug where offsets from one Kafka partition could be used when deciding where to start consuming for another partition, in the case where there were too many datasources in the repo. This led to a crash loop when the affected node was restarted.

Support Java 17.

Fixed an issue where choosing a UI theme would not get saved properly in the user's settings.