Latest GA Release

Falcon LogScale 1.169.0 GA (2024-12-17)

Version?Type?Release Date?Availability?End of Support

Security

Updates

Upgrades

From?

Config.

Changes?
1.169.0GA2024-12-17

Cloud

Next LTSNo1.136No

Available for download two days after release.

Bug fixes and updates.

Breaking Changes

The following items create a breaking change in the behavior, response or operation of this release.

  • Storage

    • There is a change to the archiving logic so that LogScale no longer splits a given segment into multiple bucket objects based on ungrouped tag combinations in the segment. Tag groups were introduced to limit the number of datasources if a given tag had too many different values. But the current implementation of archiving splits the different tag combinations contained in a given segment back out into one bucket per tag combination, which is a scalability issue, and can also affect mini-segment merging. The new approach just uploads into one object per segment. As a visible impact for the user, there will be fewer objects in the archiving bucket, and the naming schema for the objects will change to not include the tags that were grouped into the tag groups that the datasource is based on. The set of events in the bucket will remain the same. This is a cluster risk, so the change is released immediately.

      For self-hosted customers: if you need time to change the external systems that read from the archive due to the naming changes, you may disable the DontSplitSegmentsForArchiving feature flag (see Enabling & Disabling Feature Flags).

      For more information, see Tag Grouping.

  • GraphQL API

    • The new parameter strict has been added to the input of analyzeQuery() GraphQL query. When set to default value true, query validation will always validate uses of saved query and query parameter. When set to false, it will attempt to ignore validation of saved query and query parameter uses. This is a breaking change because previously, validation would behave as if strict was set to false. To achieve legacy behavior, set strict=false.

Deprecation

Items that have been deprecated and may be removed in a future release.

  • The lastScheduledSearch field from the ScheduledSearch datatype is now deprecated and planned for removal in LogScale version 1.202. The new lastExecuted and lastTriggered fields have been added to the ScheduledSearch datatype to replace lastScheduledSearch.

New features and improvements

  • Administration and Management

    • Usage is now logged to the humio repository.

  • Ingestion

    • Clicking Run tests on the parser editor page now produces events that are more similar to what an ingested event would look like in certain edge cases.

    • You can now validate whether your parser complies to the ??? by clicking the checkbox Use CPS in the parser editor.

      For more information, see Normalize and Validate Against CPS Schema.

  • Functions

Fixed in this release

  • Queries

    • The query table endpoint client has been fixed as it was unable to receive the response for tables larger than 128 MB, and an error occurred.

    • A performance regression in the query scheduler has been fixed as it could lead to query starvation and slow searches.

Improvement

  • Storage

    • Improved performance when syncing IOCs internally within nodes in a cluster.

    • Improved the performance of ingest queue message handling that immediately follows a change in the Kafka partition count. Without this improvement, changing the partition count could substantially slow down processing of events ingested before the repartitioning.

    • Relocation of datasources after a partition count change will now be restarted if the Kafka partition count changes again while the cluster is executing relocations. This ensures that datasource placement always reflects the latest partition count.

  • Functions

    • Improving the error message for missing time zones in the parseTimestamp() function.