Falcon LogScale Documentation

Organization level query blocking has been added to Organization Settings UI.

For more information, see Organization Query Monitor.

Improvements in UI tables visualization: even long column headers' text is now always left-aligned (instead of center-aligned and on top of each other) and uses a different color.

Clicking the Labels button in Alerts will now show every unique label that has been created on every alert in the same repository. This means that you don't need to rewrite a label when wanting to add the same label to another alert. This feature also applies to Scheduled Searches.

The following GraphQL mutations can now also be performed with the ChangeOrganizationPermissions permission:

The following GraphQL mutations can now also be performed with the ChangeSystemPermissions permission:

The following GraphQL queries and mutations can now also be performed with either ChangeOrganizationPermissions, ChangeSystemPermissions permission depending on the group:

The permissions required in order to list IP filters have been updated. You can now also list IP filters with one of the following permissions:

The new configuration parameter SEGMENT_READ_FADVICE has been introduced.

Using the storage class "S3 Intelligent-Tiering" in AWS S3 selectively on files that LogScale knows continues to be supported: it is controlled by the new dynamic configuration BucketStorageUploadInfrequentThresholdDays that sets the minimum number of days of remaining retention for the data in order to switch from the default "S3 Standard" to the "Intelligent" tier.

The decision is made at the point of upload to the bucket only, whereas existing objects in the bucket are not modified.

The bucket must be configured to not allow the optional tiers Archive Access tier nor Deep Archive Access tier as those do not have instant access, which is required for LogScale.

As a consequence of that, do not enable automatic archiving within the S3 Intelligent-Tiering storage class.

Multivalued parameters have been introduced to pass an array of values to the query. The support is limited to the Dashboards page.

For more information, see Multi-value Parameters.

Introduced a new setting for dashboard parameters configuration to defer query execution: the dashboard will not execute any queries on page load until the user provides a value to the parameter.

For more information, see Configuring Parameters.

The new interaction type Search Link has been introduced, allowing users to create an interaction that will trigger a new search.

For more information, see Managing Dashboard Interactions, Creating Event List Interactions.

Fleet Management updates:

For more information, see Creating a Configuration - Fleet Management.

When IOCs are not available, the ioc:lookup() query function will now produce an error. Previously, it only produced a warning.

Worker-level query scheduling has been adjusted to avoid long-term starvation of expensive queries.

Improvements to query scheduler logic for "shelving" i.e., pausing queries considered too expensive. The pause/unpause logic are now more responsive and unpause queries faster when they become eligible to run.

Create Repositories permission now also allows LogScale Self-Hosted users to create repositories.

Fixed a regression in join() validation, which was introduced in version Falcon LogScale 1.80.0 Preview (2023-03-07).

Fixed an issue where a query with join(), selfJoin(), or selfJoinFilter() functions would sometimes get cancelled.

An issue that would cause bucket downloads to retry infinitely many times for certain types of segments has been fixed.

The following audit log issues have been fixed:

An issue that would cause query workers to handle minisegments for longer than intended has been fixed.