Humio Server 1.34.0 Stable (2021-12-15)

VersionTypeRelease DateEnd of SupportUpgrades FromData MigrationConfig. Changes
1.34.0Stable2021-12-152022-12-151.26.0NoYes
JAR ChecksumValue
MD54dc3b67c42b44e59e0ad6cc02a220f12
SHA1099a9ae07d5595fb06c145aaa80b46ba9f74dd10
SHA25622cd6f60f030d56bcae159b853efe6dcd76f7add127e64c37bcca58c66d1a155
SHA5122645369a9ec989c1b40b190993ecbd4eca8be63b60318a1b1259124819446c06c3bbba92a9c22f1e194133b9da5d05b6c0346369c33e8c33a9777a2a168ae524

Humio Server 1.34 REQUIRES minimum previous version 1.26.0 of Humio to start. Clusters wishing to upgrade from older versions must upgrade to 1.26.0+ first. After running 1.34.0 or later, you cannot downgrade to versions prior to 1.26.0.

You can now use the mouse to resize columns in the event list. Previously you had to click the column header and use the Increase / Decrease Width buttons.

Improvements, new features and functionality

  • UI Changes

    • Allow resize of columns in the event list by mouse.

    • Dark mode is officially deemed stable enough to be out of beta.

    • Added buttons for stopping all queries, streaming queries, and historical queries from inside the query monitor.

    • Updated the links for Privacy Notice and Terms and Conditions.

    • Added autofocus to the first field when opening a dialog using the save as functionality from the Search page.

    • The overall look of message boxes in Humio has been updated.

    • Validation error messages are now more precise and have improved formatting.

    • Disable actions if permissions are handled externally.

    • Added maximum width to tabs on the Group page, so they do not keep expanding forever.

  • GraphQL API

    • The GraphQL field isEventForwardingEnabled on the HumioMetadata type is deprecated, as it is no longer in use internally. If you rely on this, please let us know.

    • Added three GraphQL mutations for stopping queries: stopAllQueries, stopStreamingQueries, and stopHistoricalQueries.

    • Added GraphQL mutation clearRecentQueries which a user can run to clear their recent queries in a specific view or repository.

    • Changed old personal user token implementation to hash based.

    • Renamed the deleteEvents related GraphQL mutations and queries to redactEvents. The redactEvents API is intended for redacting sensitive data from a repository, not for bulk deletion of events. We think the new name invites fewer misunderstandings.

    • Added 2-phase migration that will allow old user api tokens to be used and clean global from secrets after a 30 day period.

  • Configuration

    • When checking if the ViewAction.EventForwarding action is allowed (with e.g. SearchDomain.isActionAllowed), the answer will now be false if the event forwarding is not enabled on the server.

  • Other

    • Reword regular expression related error messages.

    • Retention based on compressed size will no longer account for segment replication.

    • Added new metric: bucket-storage-upload-latency-max. It shows the amount of time spent for the event that that has been pending for upload to bucket storage the longest.

    • New metric: ingest-request-delay. Histogram of ingest request time spent being delayed due to exceeding limit on concurrent processing of ingest (milliseconds).

    • Improved partition layout auto-balancing algorithm.

    • Added query function math:arctan2 to the query language.

    • Minor optimization when using groupBy with a single field.

    • Added validation and a more clear error message for queries with a time span of 0.

    • Improved error messages when an invalid regular expression is used in replace.

    • The kvParse() query function can now parse unquoted empty values using the new parameter separatorPadding to specify if your data has whitespace around the key-value separator (typically =). The default is "Unknown", which will leave the functionality of the function unchanged.

    • Added metric for the number of currently running streaming queries.

    • It is now possible to create actions, alerts, scheduled searches, and parsers from Yaml template files.

    • Added management API to put hosts in maintenance mode.

    • Create, update, and delete of dashboards is now audit logged.

    • Added a precondition that ensures that the number of ingest partitions cannot be reduced.

    • Improved shutdown logic slightly, helping prevent thread pools from getting stuck or logging spurious errors during shutdown.

    • Node roles can now be assigned/removed at runtime.

    • Prepopulate email field when invited user is filling in a form with this information.

    • Added a communityID function for calculating hashes of network flow tuples according to the [Community ID Spec](https://github.com/corelight/community-id-spec).

    • Added Australian states to the States dropdown.

    • Improved the error reporting when installing, updating or exporting a package fails.

    • Refactored query functions join, selfjoin, and selfjoinfilter into user-visible and internal implementations.

    • It is now possible to ingest logs into Humio using LogStash v.7.13 and upwards.

    • Added checksum verification within hash filter files on read.

    • Improved handling of multiple nodes attempting to create views with the same names at the same time, as might happen when bootstrapping a cluster.

    • Added support in the humio event collector for organization- and system-wide ingest tokens and the ability to use a parser from a different repo than the one being ingested into.

    • Reduce limit on number of datasources for sandbox repositories created when a user is created to .0 by default.

    • Added a minSpan parameter to timeChart() and bucket(), which can be used to specify a minimum span when using a short time interval.

    • Query validation has been improved to include several errors which used to first show up after submitting search.

    • Query editor: improved code completion of function names.

    • A compressed segment with a size of 1GB will now always count for retention as 1 GB. Previously, a compressed segment with a size of 1GB might count for more than 1GB when calculating retention, if that segment had more replicas than configured. The effect on the retention policy was that if you had configured retention of .0GB compressed bytes, Humio might retain less than .0GB of compressed data if any of those segments had too many replicas.

    • Made the transfer coordinator display more clear errors instead of an internal server error for multinode clusters.

    • Added "export as yaml" function to the list pages of parsers, actions and scheduled searches.

    • Improved performance of the query functions drop() and rename() by quite a bit.

Bug Fixes

  • Security

    • Updated dependencies to log4j 2.16 to remove of message lookups (CVE-2021-44228 and CVE-2021-45046)

  • Other

    • Changed field type for zip codes.

    • Fixed an issue where streaming (exporting) query results in JSON format could include extra "," characters within the output.

    • Fixed an issue where release notes would not close when a release is open.

    • Fixed an issue where OIDC without a discovery endpoint would fail to configure if OIDC_TOKEN_ENDPOINT_AUTH_METHOD was not set.

    • Fixed a bug in the validation of the ‘bits’ parameter of hashMatch() and hashRewrite().

    • Crash the node if any of a number of critical threads die. This should help prevent zombie nodes.

    • Fixed an issue where the SegmentMoverJob could delete the local copy of a segment, if a pending download of the segment failed the CRC check. The job will now keep the downloaded file at a temporary path until the CRC check completes, to avoid deleting a local copy created by other jobs, e.g. by bucket downloads.

    • Fixed an issue on sandbox renaming, that would allow you to rename a sandbox and end up in a bad state.

    • Fixed an issue when adding a group to a repository or view than an error message is displayed when the user is not the organization owner or root.

    • Alerts and scheduled searches are now enabled per default when created. The check disabling these entities if no actions are attached has been replaced with a warning, which informs a user that even though the entity is enabled, nothing will trigger since no actions are attached.

    • Fixed an issue where the web client could start queries from the beginning of time when scrolling backwards through events in the UI.

    • Fixed an issue where clicking on the counters of parsed events on the Parsers page would open an empty search page, except for built-in parsers. Now, it correctly shows the latest parsed events for all parsers (except package parsers).

    • Fixed an issue in the interactive tutorial.

    • Prevent unauthorized analytics requests being sent.

    • Fixed an issue where a dashboard installed with a YAML file could be slightly different than what was specified in the file.

    • Removed error query param from URL when entering Humio.

    • Removed a spurious warning log when requesting a non-existent hash file from S3.

    • Fixed an issue causing Humio running on Java 16+ to return incorrect search results when the input query contains Unicode surrogate pairs (e.g. when searching for an emoji).

    • Fixed a race condition that could cause Humio to delete more segments than expected when initializing a digester node.

    • When checking if the ViewAction.ChangeRepoConnections action is allowed (with e.g. SearchDomain.isActionAllowed), the answer will now be false if checked on a repository, as the action only makes sense on views.

    • Fixed a number of stability issues with the event redaction job.

    • Support Java 17.

    • Changed default package type to "application" on the export package wizard.

    • Fixed an issue on on-prem trial license that would use user count limits from cloud.

    • Fixed an issue where certain problems would highlight the first word in a query.

    • Fixed an issue where sort() would cause events to be read ina non-optimal order for the entire query.

    • Changes to the state of IOC access on organizations are now reflected in the audit log.

    • The field vhost in internal Humio logging is now reserved for denoting the host logging the message. Other uses of vhost now uses the field hostId.

    • Temporary fix of issue with live queries not having first aggregator as bucket() or timeChart(), but then later in the query having those as a second aggregator. As a temporary fix, such queries will fail. In later releases, this will get fixed more properly.

    • Fixed an issue where an alert would not be throttled until after its actions had completed, which could make the alert trigger multiple times shortly after each other if an action was slow. Now, the alert is throttled as soon as it triggers.

    • Fixed a bug where only part of the Users page was loading when navigating from the All organizations page.

    • Fixed an issue where missing undersized segments in a datasource might cause Humio to repeatedly transfer undersized segments between nodes.

    • Alerts and scheduled searches are no longer run on cloud for organizations with an expired trial license, and on-prem for any expired license.

    • Fixed an issue where series() failed to serialize its state properly.

    • Fixed an issue that in rare cases would cause login errors.

    • Remove the ability to create ingest tokens and ingest listeners on system repositories.

    • When a digester fails to start, rather than restarting the JVM as previous releases did, keep retrying to start assuming that the issue is transient, such as data for a single ingest partition being unavailable for a short while. While in this situation the process reports the metric for ingest latency on the affected partitions as being uptime of the JVM process at this point. The idea is to signal that data is not flowing on those partitions, so that a monitored metric can raise an alarm somewhere. In lack of a proper latency in this situation, it's better to have a growing non-zero metrics than having the metrics being zero.

    • Fixed a bug with the cache not being populated between restarts on single node clusters.

    • Fixed an issue where the segment merger could mishandle errors during merge.

    • Fixed an issue where some regexes could not be used.

    • Fixed an edge case where Humio might create multiple copies of the same datasource when the number of Kafka partitions is changed. The fix ensures only one copy will be created.

    • Use a fresh (random) name for the tmp folder below the datadir to ensure that it is a proper subdir of the datadir and not a mount point.

    • Fixed an issue where a scheduled search failed and was retried, if it had multiple actions and at least one action was unknown to Humio. Now, the unknown action is logged, but the scheduled search completes successfully and continues to the next scheduled run.

    • Browser storage is now cleared when initiating while unauthenticated.

    • Fixed an issue where a failing event forwarder would be cached indefinitely and could negatively impact Humio performance.

    • Fixed a bug where shared lookup files could not be downloaded from the UI.

    • Fixed a compatibility issue with Filebeat 7.16.0

    • Fixed incorrect results when searching through saved queries and recent queries.

    • Changes to the state of backend feature flags are now reflected in the audit log.

    • Fixed a bug where query coordination partitions would not get updated.

    • When creating or updating an action, the backend now verifies that the host url associated with the action is prefixed with either 'http://' or 'https://'. This affects Actions of the type: Webhook, OpsGenie, Single-Channel Slack and VictorOps.

    • Fixed an issue where error messages would show wrong input.

    • When checking if the ViewAction.ChangeS3ArchivingSettings action is allowed (with e.g. SearchDomain.isActionAllowed), the answer will now be false if checked on a view, as the action only makes sense on repositories.

    • Fixed an issue where a digest node could be unable to rejoin the cluster after being shut down if all other digest nodes were also down at the time.

    • When an alert query encounters a warning and Humio is not configured to trigger alerts despite warnings (ALERT_DESPITE_WARNINGS=true, see [docs](https://library.humio.com/preview/docs/automated/alerts/throttle-period/#errors-warnings)), the warning text will now be shown as an error message on the alert in the UI.

    • Addressed an issue causing Humio to sometimes error log an ArrayIndexOutOfBoundsException during shutdown.

    • Fixed some widgets on dashboards reporting errors while waiting for data to load.

    • Fixed an issue where comments spanning multiple lines wouldn't be colored correctly.

    • No longer return the "Query Plan" in responses, but return a hash in the new field hashedQueryOnView instead. The plan could leak information not otherwise visible to the user, such as query prefixes being applied.

    • When performing jobs triggered via the Redact Events API, Humio could restart queries for unrelated views until the delete job completed. This has been improved, so only views affected by the delete will be impacted.

    • Include view+parser-name in thread dumps when time is spent inside a parser.

    • Fixed a bug where offsets from one Kafka partition could be used when deciding where to start consuming for another partition, in the case where there were too many datasources in the repo. This led to a crash loop when the affected node was restarted.

    • Fixed styling issue on the search page where long errors would overflow the screen.

    • Fixed an issue where the segment merger would write that the current node had a segment slightly before registering that segment in the local node.

    • Fixed a bug where invalid UTF-16 characters could not be ingested. They are now converted to 'ufffd'.

    • Fixed an issue where choosing a UI theme would not get saved properly in the user's settings.