Falcon LogScale Documentation

Event List Interactions are now accessible from the Repository Settings page.

Organization level query blocking has been added to Organization Settings UI.

For more information, see Organization Query Monitor.

Improvements in UI tables visualization: even long column headers' text is now always left-aligned (instead of center-aligned and on top of each other) and uses a different color.

The view permission ChangeDashboardReadonlyToken is now also required when creating and deleting shared dashboard tokens.

The error message for an Alert or Scheduled Search on their edit pages now has a button for clearing the error while the dismiss icon will just close the message but not clear errors.

When enabling an Alert or Scheduled Search with no actions, an inline warning message now appears instead of a message box.

The default time window for Alerts has been updated:

For more information, see Creating a New Alert.

When creating a new Alert, you now have a pulldown menu that suggests labels that you’ve previously created for other alerts. The same applies to Scheduled Searches.

For more information, see Creating a New Alert.

Clicking the Labels button in Alerts will now show every unique label that has been created on every alert in the same repository. This means that you don't need to rewrite a label when wanting to add the same label to another alert. This feature also applies to Scheduled Searches.

The following GraphQL mutations can now also be performed with the ChangeOrganizationPermissions permission:

The following GraphQL mutations can now also be performed with the ChangeSystemPermissions permission:

The following GraphQL queries and mutations can now also be performed with either ChangeOrganizationPermissions, ChangeSystemPermissions permission depending on the group:

The permissions required in order to list IP filters have been updated. You can now also list IP filters with one of the following permissions:

The querySearchDomain GraphQL query now allows you to search for Views and Repositories based on your permissions — previously, enforcing specific permissions caused errors.

The new configuration parameter SEGMENT_READ_FADVICE has been introduced.

New configuration parameters have been added allowing control of client.rack for our Kafka consumers:

Automatic rebalancing of existing segments onto cluster nodes has been enabled.

Manual editing of the segment partition table is no longer supported. The table is no longer displayed in the Cluster Administration UI.

The segments will be distributed onto cluster nodes based on the following node-level settings:

Additionally, the following cluster-level setting has been introduced, editable via GraphQL mutations:

This is also configurable via the DEFAULT_SEGMENT_REPLICATION_FACTOR configuration parameter.

If configured via both environment variable and GraphQL mutation, the mutation has precedence.

For new clusters the default is 1. For clusters upgrading from older versions, the initial value is taken from the STORAGE_REPLICATION_FACTOR environment variable, if set. If instead the variable is not set, the value is taken from the replication factor of the storage partition table prior to the upgrade — this means that upgrading clusters should see no change to their replication factor, unless specified in the STORAGE_REPLICATION_FACTOR .

The feature can be disabled in case of problems via either the GraphQL mutation setAllowRebalanceExistingSegments, or the environment variable DEFAULT_ALLOW_REBALANCE_EXISTING_SEGMENTS.

If you need to disable the feature, please reach out to Support and share your concerns so we can try to address them. We intend to remove the option to handle segment partitions manually in the future.

Using the storage class "S3 Intelligent-Tiering" in AWS S3 selectively on files that LogScale knows continues to be supported: it is controlled by the new dynamic configuration BucketStorageUploadInfrequentThresholdDays that sets the minimum number of days of remaining retention for the data in order to switch from the default "S3 Standard" to the "Intelligent" tier.

The decision is made at the point of upload to the bucket only, whereas existing objects in the bucket are not modified.

The bucket must be configured to not allow the optional tiers Archive Access tier nor Deep Archive Access tier as those do not have instant access, which is required for LogScale.

As a consequence of that, do not enable automatic archiving within the S3 Intelligent-Tiering storage class.

Disable the AutomaticDigesterDistribution feature by default. While the feature works, it can cause performance issues on very large installs if nodes are rebooted repeatedly. In future versions, we've worked around this issue, but for 1.88 patch versions, we prefer simply disabling the feature.

Multivalued parameters have been introduced to pass an array of values to the query. The support is limited to the Dashboards page.

For more information, see Multi-value Parameters.

When using the Edit in search view item on a dashboard widget, the values set in parameters in the query are also carried over into the search view.

The new interaction type Update Parameters has been introduced. This interaction allows you to update parameters in the context you’re working in — on the dashboard or on the Search page.

For more information, see Update Parameters.

The combo box has been updated to show multiple selections as "pills".

When Setting Up a Dashboard Interaction, the {{ startTime }} and {{ endTime }} special variables now work differently, depending on whether the query, widget or dashboard is running in Live mode or not. They now work as follows:

Introduced a new setting for dashboard parameters configuration to defer query execution: the dashboard will not execute any queries on page load until the user provides a value to the parameter.

For more information, see Configuring Parameters.

Interactive elements in visualizations now have the point cursor.

The new interaction type Search Link has been introduced, allowing users to create an interaction that will trigger a new search.

For more information, see Managing Dashboard Interactions, Creating Event List Interactions.

You can now save interactions with a saved query on the Search page. Interactions in saved queries are also supported in Packages.

For more information, see Creating Event List Interactions.

You can now delete or duplicate Event List Interactions from the Interactions overview page.

For more information, see Deleting and Duplicating Event List Interactions.

Fleet Management updates:

For more information, see Creating a Configuration - Fleet Management.

On the Config Overview page a column showing the state of the configuration has been added. The configuration can either be published or in draft state.

A menu item has been added on the Config Overview page, that links to the Settings page.

When clicking on an Error status on the Fleet Overview page, a dialog with the error details will open.

For more information, see LogScale Collector Fleet Management.

base64Decode() query function has been updated such that, when decoding to UTF-8, invalid code points are replaced with a placeholder character.

Performance improvements have been made to the match() query function in cases where ignoreCase=true is used together with either mode=cidr, or mode=string.

When IOCs are not available, the ioc:lookup() query function will now produce an error. Previously, it only produced a warning.

The memory usage of the functions selectLast() and groupBy() has been improved.

When the automatic segment rebalancing feature is enabled, ignore the segment storage table when evaluating whether dead ephemeral nodes can be removed automatically.

Reduced the amount of memory used when multiple queries use the match() function with the same arguments. Before, if you ran many queries that used the same file, the contents of the file would be represented multiple times in memory, once for each query. This could put you at risk of exhausting the server's memory if the files were large. With this change the file contents will be shared between the queries and represented only once. This enables the server to run more queries and/or handle larger files.

For more information, see Lookup Files Operation.

Improvements to query scheduler logic for "shelving" i.e., pausing queries considered too expensive. The pause/unpause logic are now more responsive and unpause queries faster when they become eligible to run.

Create Repositories permission now also allows LogScale Self-Hosted users to create repositories.

The size limit of packages' lookup files has been changed to adhere to the MAX_FILEUPLOAD_SIZE configuration parameter. Previously the size limit was 1MB.

For more information, see Exporting the Package.

The Search page would reload when using the browser's history navigation buttons. This issue has now been fixed.

The Fields Panel flyout displayed the bottom 10 values rather than the top 10 values. This issue has now been fixed.

For more information, see Displaying Fields.

An issue in the Usage page that could fail showing any data has been fixed.

The Usage page now shows an error if there are any warnings from the query.

The tooltip in the Time Chart widget would not show any data points. This issue has now been fixed.

'_' was not recognized as a valid first symbol for parameters when parsing queries. This issue has now been fixed.

Non-breaking space chars (ALT+Space) made Template Expressions unable to be resolved. This issue has been fixed.

Attempting to remove a widget on a dashboard would sometimes remove another widget than the one attempted to remove. This issue has been fixed.

"" was being discarded when creating URLs for interactions. This issue has now been fixed.

The values of FixedList Parameter on a dashboard would change sort ordering after being exported to a yaml template file. This issue has been fixed.

Fixed an issue where clicking the Inspect link in alert notifications would land on a missing page.

timeChart() provided with unit and groupBy() as the aggregation function would not warn on exceeding the default groupBy() limit. This issue has now been fixed.

The groupBy() function would not always warn upon exceeding the default limit. This issue has now been fixed.

Fixed a regression in join() validation, which was introduced in version Falcon LogScale 1.80.0 Preview (2023-03-07).

In clusters with bucket storage running queries that take more than 90 minutes, those queries could spuriously fail with a complaint that segments were missing. The issue has now been fixed.

Export query result to file dialog would not close in some cases. This issue has now been fixed.

An issue that would cause bucket downloads to retry infinitely many times for certain types of segments has been fixed.

An uploaded file would sometimes disappear immediately after uploading. This issue has been fixed.

The following audit log issues have been fixed:

An issue that would cause query workers to handle minisegments for longer than intended has been fixed.

Fixed bucket downloads that could fail if the segment they were fetching disappeared from global.

In ephemeral-disk mode, allow removing a node via the UI when it is dead regardless of any data present on the node: ephemeral mode knows how to ensure durability also when nodes are lost without notice.

For more information, see Ephemeral Nodes and Cluster Identity.

Restart of queries based on lookup files has been fixed: only live queries need restarting from changes to uploaded files that they depend on. Scheduled Searches and static queries use the version of the file present when they start and run to completion.