Latest GA Release
Falcon LogScale 1.181.0 GA (2025-03-25)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Downgrades To? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.181.0 | GA | 2025-03-25 | Cloud | Next LTS | No | 1.150.0 | 1.157.0 | No |
Available for download two days after release.
Bug fixes and updates.
Deprecation
Items that have been deprecated and may be removed in a future release.
The
colorfield on theRoletype has been marked as deprecated (will be removed in version 1.195).The
storagetask of the GraphQLNodeTaskEnumis deprecated and scheduled to be removed in version 1.185. This affects the following items:
The
supportedTasksfield of theClusterNodetype.The
assignedTasksfield of theClusterNodetype.The
unassignedTasksfield of theClusterNodetype.The assignTasks() mutation.
The unassignTasks() mutation
The
INITIAL_DISABLED_NODE_TASKSconfiguration variable.LogScale is deprecating free-text searches that occur after the first aggregate function in a query. These searches likely did not and will not work as expected. Starting with version 1.189.0, this functionality will no longer be available. A free-text search after the first aggregate function refers to any text filter that is not specific to a field and appears after the query's first aggregate function. For example, this syntax is deprecated:
logscale Syntax"Lorem ipsum dolor" | tail(200) | "sit amet, consectetur"Some uses of the
wildcard()function, particularly those that do not specify afieldargument are also free-text-searches and therefore are deprecated as well. Regex literals that are not particular to a field, for example/(abra|kadabra)/are also free-text-searches and are thus also deprecated after the first aggregate function.To work around this issue, you can:
Move the free-text search in front of the first aggregate function.
Search specifically in the @rawstring field.
If you know the field that contains the value you're searching for, it's best to search that particular field. The field may have been added by either the log shipper or the parser, and the information might not appear in the @rawstring field.
Free-text searches before the first aggregate function continue to work as expected since they are not deprecated. Field-specific text searches work as expected as well: for example,
myField=/(abra|kadabra)/continue to work also after the first aggregate function.The use of the event functions
eventInternals(),eventFieldCount(), andeventSize()after the first aggregate function is deprecated. For example:Invalid Example for Demonstration - DO NOT USElogscaleeventSize() | tail(200) | eventInternals()Usage of these functions after the first aggregate function is deprecated because they work on the original events, which are not available after the first aggregate function.
Using these functions after the first aggregate function will be made unavailable in version 1.189.0 and onwards.
These functions will continue to work before the first aggregate function, for example:
logscaleeventSize() | tail(200)The setConsideredAliveUntil and
setConsideredAliveForGraphQL mutations are deprecated and will be removed in 1.195.The
lastScheduledSearchfield from theScheduledSearchdatatype is now deprecated and planned for removal in LogScale version 1.202. The newlastExecutedandlastTriggeredfields have been added to theScheduledSearchdatatype to replacelastScheduledSearch.The
EXTRA_KAFKA_CONFIGS_FILEconfiguration variable has been deprecated and planned to be removed no earlier than version 1.225.0. For more information, see RN Issue.
New features and improvements
Administration and Management
Updated how the losable-node-count-before-storage-over-capacity gauge metric is calculated, to consider secondary storage. When secondary storage is present, it takes precedence over primary storage to calculate the available storage capacity, taking into account the
SECONDARY_STORAGE_MAX_FILL_PERCENTAGEconfiguration settings.The new metric query-worker-queue-full is now available. This metric tracks the number of times a worker queue was full and a new query submission was rejected as a result.
User Interface
The Lookup Files preview feature in the User Interface now displays a maximum of 500 rows, reduced from 50,000. The lower limit improves the UI performance and matches the existing row limit for Ad-hoc tables previews.
Automation and Alerts
Added more fields to some of the logs for Filter alerts in the humio-activity repository.
Storage
LogScale now uses a fixed TCP receive buffer size for ingest consumers, which defaults to 32 MB. This change replaces the previous automatic buffer size calculation, which did not perform reliably. The operating system supplies buffer limits based on the value defined in the
/proc/sys/net/core/rmem_maxfile. System administrators must modify this file to enable larger buffer sizes.To specify a different buffer size than the default, use the
KAFKA_INGEST_QUEUE_CONSUMER_variable as the prefix to pass these consumer configuration properties:
GraphQL API
Setting short-term stability on the following output fields available on the testParserV2 GraphQL mutation:
falselyTaggedFields
arraysWithGaps (and all subfields)
schemaViolations (and all subfields)
These fields were previously only available in preview form.
Configuration
LogScale introduces the new configuration variable
PDF_RENDER_SERVICE_CALLBACK_BASE_URL, which can be used to control the callback URL sent to the PDF Render Service used by the Scheduled PDF Reports feature. The default behaviour is to use thePUBLIC_URLvariable for the callback URL sent to the render service, but in some deployment scenarios it is beneficial to keep the request traffic internal to the cluster where LogScale is hosted, instead of using the public facing URL for the requests. This is where this new variable can be used. If LogScale is deployed in multi-organization mode, the callback URL goes through the same rules of formatting, as described for thePUBLIC_URLvariable. IfPDF_RENDER_SERVICE_CALLBACK_BASE_URLis not configured, thenPUBLIC_URLis used.For more information, see
PDF_RENDER_SERVICE_CALLBACK_BASE_URL, Adding PDF Render to LogScale Configuration.
Functions
Fixed in this release
Security
OAuth login failed when following certain links to LogScale queries, due to LogScale not being able to decode the OAuth state value.
Automation and Alerts
Previously, a fatal error in handling an Alert or Scheduled search could result in other Alerts or Scheduled searches failing to run. This issue has now been fixed.
Storage
Before this fix, the system incorrectly removed all
currentHostsfrom segments during bucket storage upload when:NoCurrentsForBucketSegmentswas enabledS3_STORAGE_PREFERRED_COPY_SOURCEvariable was disabled.
Now
currentHostsare only removed from segments when both settings are enabled.
Queries
The User Interface would show Query status: Done even for queries whose completion rate was less than 100%. This issue has now been fixed.
Functions
Using fields that were not in the original event in the
whereclause would fail forselfJoin()andselfJoinFilter()functions when theprefilterparameter is set totrue.
Improvement
User Interface
During group creation, LogScale incorrectly displayed a You have no roles yet message, despite roles always being present after the creation was completed.
This behavior is now being removed internally from the group creation workflow, as this state can't occur in the system (organizations always have at least one default role).
This change now improves the system as follows:
Improved workflow consistency. The roles list now appears correctly in the UI during group creation
Enhanced internal system stability
Users can still create new roles through the existing roles list view.
LogScale now provides enhanced accessibility for disabled icon buttons. Users can understand why an icon is unavailable through clear feedback from both tooltip and screen reader announcements. This improvement makes the interface more inclusive for keyboard navigation and screen reader users.
The UI menu is now hidden on those views where it is not applicable, instead of showing as disabled.
Dashboards and Widgets
Dashboards now benefit from enhanced field statistics computation. This optimization ensures better dashboard performances while processing query results.
Queries
Improving error handling when submitting queries: if an invalid query is submitted, submission is not retried internally anymore. This in particular improves error reporting for Alerts and Scheduled searches.
Queries run on behalf of an organization are now logged to the humio-audit and humio-activity repositories like other queries.