Falcon LogScale Documentation

When creating or editing Alerts and Scheduled Searches, it is now possible to specify another user the alert or scheduled search should run as, via the new organization permission ChangeTriggersToRunAsOtherUsers.

It is now checked that the user selected to run the alert or scheduled search has permissions to run it. Previously, that was first checked when trying to run the alert or scheduled search.

The new feature checks whether the user, trying to create or edit an alert or schedule search, has permissions to change and run as another user. If the feature is enabled, you can select the user to run an alert or schedule search as, from a list of users.

See Creating a New Alert and Scheduled Search Permissions for more information.

Introduced a memory limit in collect() mapper phase. The collect() function now collects up to the value of the limit argument or 10 MiB worth of distinct values, whichever comes first.

Memory consumption of the format() function has been decreased.

Fixed a performance issue when setting fileDownloadParallelism to more than 1. See Adjust Polling Nodes Per Feed for more information.

The Event Distribution Histogram wouldn't show properly after manipulation of the @timestamp field.

In visualizations using the timeChart() or bucket() functions, when no results were returned you would just see an empty page. Consistently with other visualizations, you will now see a no-result message displayed, such as No results in active time window or Search Completed. No results found — depending on whether Live mode is selected or not.

Fixed dashboard links to the same dashboard, as they would not correctly update the parameters.