Humio Server 1.33.0 Preview (2021-11-15)
|Version||Type||Release Date||End of Support||Upgrades From||Data Migration||Config. Changes|
1.33 REQUIRES minimum version 1.26.0 of Humio to start. Clusters wishing to upgrade from older versions must upgrade to 1.26.0+ first. After running 1.33.0 or later, you cannot run versions prior to 1.26.0.
Once the release has been deployed, all existing personal api tokens will be hashed so they still can be used, but you will not be able to retrieve them again. If you want to preserve the tokens, be sure to copy it into a secrets vault before the release is deployed. The api-token field on the User type in GraphQL has been removed.
You can now use the mouse to resize columns in the event list. Previously you had to click the column header and use the "Increase / Decrease Width" buttons.
Improvements, new features and functionality
Updated the links for Privacy Notice and Terms and Conditions.
The overall look of message boxes in Humio has been updated.
Added autofocus to the first field when opening a dialog using the save as functionality from the Search page.
Dark mode is officially deemed stable enough to be out of beta.
Allow resize of columns in the event list by mouse.
Disable actions if permissions are handled externally.
Added buttons for stopping all queries, streaming queries, and historical queries from inside the query monitor.
Added maximum width to tabs on the Group page, so they do not keep expanding forever.
Validation error messages are now more precise and have improved formatting.
The GraphQL field isEventForwardingEnabled on the HumioMetadata type is deprecated, as it is no longer in use internally. If you rely on this, please let us know.
Added GraphQL mutation clearRecentQueries which a user can run to clear their recent queries in a specific view or repository.
Added 2-phase migration that will allow old user api tokens to be used and clean global from secrets after a 30 day period.
Renamed the deleteEvents related GraphQL mutations and queries to redactEvents. The redactEvents API is intended for redacting sensitive data from a repository, not for bulk deletion of events. We think the new name invites fewer misunderstandings.
Added three GraphQL mutations for stopping queries: stopAllQueries, stopStreamingQueries, and stopHistoricalQueries.
Changed old personal user token implementation to hash based.
When checking if the ViewAction.EventForwarding action is allowed (with e.g. SearchDomain.isActionAllowed), the answer will now be false if the event forwarding is not enabled on the server.
Query validation has been improved to include several errors which used to first show up after submitting search.
Added validation and a more clear error message for queries with a time span of 0.
Retention based on compressed size will no longer account for segment replication.
Query editor: improved code completion of function names.
New metric: ingest-request-delay. Histogram of ingest request time spent being delayed due to exceeding limit on concurrent processing of ingest (milliseconds).
Improved the error reporting when installing, updating or exporting a package fails.
Added new metric: bucket-storage-upload-latency-max. It shows the amount of time spent for the event that that has been pending for upload to bucket storage the longest.
Made the transfer coordinator display more clear errors instead of an internal server error for multinode clusters.
Node roles can now be assigned/removed at runtime.
kvParse()query function can now parse unquoted empty values using the new parameter separatorPadding to specify if your data has whitespace around the key-value separator (typically =). The default is "Unknown", which will leave the functionality of the function unchanged.
Create, update, and delete of dashboards is now audit logged.
Added a precondition that ensures that the number of ingest partitions cannot be reduced.
Added support in the humio event collector for organization- and system-wide ingest tokens and the ability to use a parser from a different repo than the one being ingested into.
Added query function math:arctan2 to the query language.
Added metric for the number of currently running streaming queries.
Improved performance of the query functions
drop()and rename() by quite a bit.
Improved error messages when an invalid regular expression is used in replace.
Improved handling of multiple nodes attempting to create views with the same names at the same time, as might happen when bootstrapping a cluster.
Prepopulate email field when invited user is filling in a form with this information.
It is now possible to ingest logs into Humio using LogStash v.7.13 and upwards.
Added "export as yaml" function to the list pages of parsers, actions and scheduled searches.
Reduce limit on number of datasources for sandbox repositories created when a user is created to .0 by default.
Reword regular expression related error messages.
Added Australian states to the States dropdown.
Refactored query functions join, selfjoin, and selfjoinfilter into user-visible and internal implementations.
Improved shutdown logic slightly, helping prevent thread pools from getting stuck or logging spurious errors during shutdown.
A compressed segment with a size of 1GB will now always count for retention as 1 GB. Previously, a compressed segment with a size of 1GB might count for more than 1GB when calculating retention, if that segment had more replicas than configured. The effect on the retention policy was that if you had configured retention of .0GB compressed bytes, Humio might retain less than .0GB of compressed data if any of those segments had too many replicas.
Added checksum verification within hash filter files on read.
Added management API to put hosts in maintenance mode.
Minor optimization when using groupBy with a single field.
Added a communityID function for calculating hashes of network flow tuples according to the [Community ID Spec](https://github.com/corelight/community-id-spec).
It is now possible to create actions, alerts, scheduled searches, and parsers from Yaml template files.
Improved partition layout auto-balancing algorithm.
Fixed an issue on on-prem trial license that would use user count limits from cloud.
Fixed a bug where offsets from one Kafka partition could be used when deciding where to start consuming for another partition, in the case where there were too many datasources in the repo. This led to a crash loop when the affected node was restarted.
When an alert query encounters a warning and Humio is not configured to trigger alerts despite warnings (ALERT_DESPITE_WARNINGS=true, see [docs](https://library.humio.com/preview/docs/automated/alerts/throttle-period/#errors-warnings)), the warning text will now be shown as an error message on the alert in the UI.
Fixed an issue where the web client could start queries from the beginning of time when scrolling backwards through events in the UI.
Temporary fix of issue with live queries not having first aggregator as
timeChart(), but then later in the query having those as a second aggregator. As a temporary fix, such queries will fail. In later releases, this will get fixed more properly.
Changed field type for zip codes.
No longer return the "Query Plan" in responses, but return a hash in the new field hashedQueryOnView instead. The plan could leak information not otherwise visible to the user, such as query prefixes being applied.
Fixed an issue where a failing event forwarder would be cached indefinitely and could negatively impact Humio performance.
Fixed an issue where
sort()would cause events to be read ina non-optimal order for the entire query.
Fixed an edge case where Humio might create multiple copies of the same datasource when the number of Kafka partitions is changed. The fix ensures only one copy will be created.
Fixed a number of stability issues with the event redaction job.
Alerts and scheduled searches are now enabled per default when created. The check disabling these entities if no actions are attached has been replaced with a warning, which informs a user that even though the entity is enabled, nothing will trigger since no actions are attached.
Fixed an issue where clicking on the counters of parsed events on the Parsers page would open an empty search page, except for built-in parsers. Now, it correctly shows the latest parsed events for all parsers (except package parsers).
Fixed styling issue on the search page where long errors would overflow the screen.
Fixed a bug with the cache not being populated between restarts on single node clusters.
Changes to the state of backend feature flags are now reflected in the audit log.
Fixed an issue where a dashboard installed with a YAML file could be slightly different than what was specified in the file.
Fixed an issue where certain problems would highlight the first word in a query.
Fixed an issue causing Humio running on Java 16+ to return incorrect search results when the input query contains Unicode surrogate pairs (e.g. when searching for an emoji).
Removed error query param from URL when entering Humio.
Fixed an issue where the segment merger would write that the current node had a segment slightly before registering that segment in the local node.
Addressed an issue causing Humio to sometimes error log an ArrayIndexOutOfBoundsException during shutdown.
Fixed an issue where
series()failed to serialize its state properly.
Fixed a bug where invalid UTF-16 characters could not be ingested. They are now converted to 'ufffd'.
Crash the node if any of a number of critical threads die. This should help prevent zombie nodes.
When performing jobs triggered via the Redact Events API, Humio could restart queries for unrelated views until the delete job completed. This has been improved, so only views affected by the delete will be impacted.
Fixed a bug where only part of the Users page was loading when navigating from the All organizations page.
Alerts and scheduled searches are no longer run on cloud for organizations with an expired trial license, and on-prem for any expired license.
Include view+parser-name in thread dumps when time is spent inside a parser.
Fixed incorrect results when searching through saved queries and recent queries.
Support Java 17.
Fixed an issue where error messages would show wrong input.
Fixed an issue where comments spanning multiple lines wouldn't be colored correctly.
Fixed an issue when adding a group to a repository or view than an error message is displayed when the user is not the organization owner or root.
The field vhost in internal Humio logging is now reserved for denoting the host logging the message. Other uses of vhost now uses the field hostId.
Use a fresh (random) name for the tmp folder below the datadir to ensure that it is a proper subdir of the datadir and not a mount point.
Changed default package type to "application" on the export package wizard.
Fixed an issue where a digest node could be unable to rejoin the cluster after being shut down if all other digest nodes were also down at the time.
Fixed an issue where the SegmentMoverJob could delete the local copy of a segment, if a pending download of the segment failed the CRC check. The job will now keep the downloaded file at a temporary path until the CRC check completes, to avoid deleting a local copy created by other jobs, e.g. by bucket downloads.
Removed a spurious warning log when requesting a non-existent hash file from S3.
Fixed a bug where query coordination partitions would not get updated.
When checking if the ViewAction.ChangeS3ArchivingSettings action is allowed (with e.g. SearchDomain.isActionAllowed), the answer will now be false if checked on a view, as the action only makes sense on repositories.
Fixed a bug where shared lookup files could not be downloaded from the UI.
When checking if the ViewAction.ChangeRepoConnections action is allowed (with e.g. SearchDomain.isActionAllowed), the answer will now be false if checked on a repository, as the action only makes sense on views.
Errors on alerts, which are shown in the alert overview, are now only cleared when either the alert query is updated by a user or the alert triggers. Previously, errors that occurred when actions were triggered would be removed when the alert no longer triggered. Now, they will be displayed until the actions trigger successfully. On the other hand, errors that occur when running the query may now remain until the next time the alert triggers, where they would previously be removed as soon as the query run again without errors.
This change was reverted in 1.33.1.
Browser storage is now cleared when initiating while unauthenticated.
Fixed an issue where some regexes could not be used.
Fixed an issue where missing undersized segments in a datasource might cause Humio to repeatedly transfer undersized segments between nodes.
Fixed an issue where OIDC without a discovery endpoint would fail to configure if OIDC_TOKEN_ENDPOINT_AUTH_METHOD was not set.
Fixed some widgets on dashboards reporting errors while waiting for data to load.
Prevent unauthorized analytics requests being sent.
Fixed an issue where the segment merger could mishandle errors during merge.
When a digester fails to start, rather than restarting the JVM as previous releases did, keep retrying to start assuming that the issue is transient, such as data for a single ingest partition being unavailable for a short while. While in this situation the process reports the metric for ingest latency on the affected partitions as being uptime of the JVM process at this point. The idea is to signal that data is not flowing on those partitions, so that a monitored metric can raise an alarm somewhere. In lack of a proper latency in this situation, it's better to have a growing non-zero metrics than having the metrics being zero.
When creating or updating an action, the backend now verifies that the host url associated with the action is prefixed with either 'http://' or 'https://'. This affects Actions of the type: Webhook, OpsGenie, Single-Channel Slack and VictorOps.
Fixed an issue where a scheduled search failed and was retried, if it had multiple actions and at least one action was unknown to Humio. Now, the unknown action is logged, but the scheduled search completes successfully and continues to the next scheduled run.
Fixed an issue where choosing a UI theme would not get saved properly in the user's settings.
Fixed an issue on sandbox renaming, that would allow you to rename a sandbox and end up in a bad state.
Remove the ability to create ingest tokens and ingest listeners on system repositories.
Fixed an issue where release notes would not close when a release is open.
Changes to the state of IOC access on organizations are now reflected in the audit log.