Stable Release
Falcon LogScale 1.131.1 Stable (2024-04-17)
Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | JDK Compatibility? | Req. Data Migration | Config. Changes? |
---|---|---|---|---|---|---|---|---|---|
1.131.1 | Stable | 2024-04-17 | Cloud On-Prem | 2025-04-30 | Yes | 1.106 | 17-21 | No | No |
TAR Checksum | Value |
---|---|
MD5 | 4a9223ff7d628a52257783b70b084726 |
SHA1 | 3666c2ac1eea45e07ea9a89f0c16eafffebc1e01 |
SHA256 | 5eb83a4ee2c9a8792f1ac1ec9ddad9282a5e9e98d523a77556762eded9fd50ad |
SHA512 | 86000582f6b4134f85943ae2385b0b17113f241f988864c9113f2df639f4a2f97a6eba69edb305ec57e2e0db53578a79fb7f54aa15b9acd909092d8cc88f1438 |
Docker Image | Included JDK | SHA256 Checksum |
---|---|---|
humio | 21 | adcf2fea3d8f9c10b764a73577959eeb5c58cdb2955e69846b26effc5758e0b9 |
humio-core | 21 | 2985c7ec6bde2f3c8904f71d238e7fdd70547c9d71488aea997acb89cf2d15ec |
kafka | 21 | 262c7e74062a32cecee9119836752ee6310662d570f80926e7dd36dcb785d380 |
zookeeper | 21 | b9b0349704cc996701c65cf713c1584c0b5db7f70cb00d53bf1051c50e0e99ab |
Download: https://repo.humio.com/repository/maven-releases/com/humio/server/1.131.1/server-1.131.1.tar.gz
Bug fixes and updates.
Removed
Items that have been removed as of this release.
GraphQL API
The enabledFeatures() query has been removed from GraphQL schema. Use featureFlags() query instead.
Deprecation
Items that have been deprecated and may be removed in a future release.
The assetType GraphQL field on
Alert
,Dashboard
,Parser
,SavedQuery
andViewInteraction
datatypes has been deprecated and will be removed in version 1.136 of LogScale.The
any
argument to thetype
parameter ofsort()
andtable()
has been deprecated and will be removed in version 1.142.Warnings prompts will be shown in queries that fall into either of these two cases:
If you are explicitly supplying an
any
argument, please either simply remove both the parameter and the argument, for example changesort(..., type=any)
tosort(...)
or supply the argument fortype
that corresponds to your data.If you are sorting hexadecimal values by their equivalent numerical values, please change the argument of
type
parameter tohex
e.g.sort(..., type=hex)
.In all other cases, no action is needed.
The new default value for
sort()
andtable()
will benumber
. Both functions will fall back to lexicographical ordering for values that cannot be understood as the provided argument fortype
.In the GraphQL API, the
ChangeTriggersAndAction
enum value for both thePermission
andViewAction
enum is now deprecated and will be removed in version 1.136 of LogScale.We are deprecating the
humio/kafka
andhumio/zookeeper
Docker images due to low use. The planned final release for these images will be with LogScale 1.148.0.Better alternatives are available going forward. We recommend the following:
If your cluster is deployed on Kubernetes: STRIMZI
If your cluster is deployed to AWS: MSK
In other cases: Confluent for Kafka and Confluent for ZooKeeper
If you still require
humio/kafka
orhumio/zookeeper
for needs that cannot be covered by these alternatives, please contact Support and share your concerns.Several GraphQL queries and mutations for interacting with parsers are deprecated and scheduled for removal in version 1.142. These changes can be seen in the library at the following pages:
In the GraphQL API, the name argument to the parser field on the
Repository
datatype has been deprecated and will be removed in version 1.136 of LogScale.
Behavior Changes
Scripts or environment which make use of these tools should be checked and updated for the new configuration:
Security
DNS caches are now invalidated after 60 seconds instead of never. To override this behavior, set the security policy
networkaddress.cache.ttl
in the security manager of the JRE (see Java Networking Properties).Ingestion
It is no longer possible to delete a parser that is being used in an ingest feed. The parser must first be removed from the ingest feed.
For more information, see Deleting an Ingest Feed.
Improvements, new features and functionality
Upgrades
The minimum version required to upgrade from has been raised to 1.106, in order to allow removing some workarounds for compatibility with old versions.
Security
Added support for authorizing with an external JWT from an IdP setup in our cloud environment.
The audience for dynamic OIDC IdPs in our cloud environments are now
logscale-$orgId
, where$orgId
is the ID of your organization.Added support for Oktas federated IdP OIDC extension to identity providers setup in cloud.
Automation and Alerts
Throttling and field-based throttling are introduced as optional functionalities in Filter Alerts. The minimum throttling period is 1 minute.
The customizable trigger limit for Filter Alerts is removed. The trigger limit is now automatically determined based on the associated actions. If one or more email actions are associated, the trigger limit will be 15, otherwise, the trigger limit will be 100. Any existing customizable trigger limit of 1 will be treated as a throttling period of 1 minute, all other custom trigger limits will be ignored. This is a non-backwards compatible change to the GraphQL APIs for Filter Alerts, so any automation for these alerts must be updated.
GraphQL API
The new scopeClaim input argument has been added to
OidcConfigurationInput
andUpdateOidcConfigurationInput
for dynamic OIDC configurations in our clouds.If the IdP is dynamic, we will try to grab the scope claim based on the value given as an input to either newOIDCIdentityProvider() or updateOIDCIdentityProvider() mutations. It will fallback to the cluster configuration.
Configuration
The new dynamic configuration
MaxOpenSegmentsOnWorker
is implemented to control hard cap on open segment files for the scheduler. The scheduler should in most cases not reach this limit and it only acts as a backstop. Therefore, we recommend that administrators do not modify this setting unless advised to do so by CrowdStrike Support.Authorization attempted via JWT tokens will now only try to grab user information from the user info endpoint if the scope in the access token contains any of the following:
profile
,email
,openid
. If no such scope is located in the token, LogScale will try to extract the username from the token and no other user details will be added. We will extract the scope claim based on the new environment variableOIDC_SCOPE_CLAIM
, whose default isscope
.
Ingestion
New parser APIs have been introduced for more extensive parser testing. In the API, parser test cases now have a new structure.
For more information, see createParserV2(),
DeleteParserInput
, testParserV2(), updateParserV2(), andParser
.Ingest feeds can read from an AWS SQS queue that has been populated with AWS SNS subscription events.
For more information, see Ingesting Data from AWS S3.
Functions
The
parseTimestamp()
function is now able to parse timestamps with nanosecond precision.The
setField()
query function is introduced. It takes two expressions,target
andvalue
and sets the field named by the result of thetarget
expression to the result of thevalue
expression. This function can be used to manipulate fields whose names are not statically known, but computed at runtime.For more information, see
setField()
.The
getField()
query function is introduced. It takes an expression,source
, and sets the field defined byas
to the result of thesource
expression. This function can be used to manipulate fields whose names are not statically known, but computed at runtime.For more information, see
getField()
.
Other
The default IP filter for IdP and RDNS operations is now more restrictive: the
rdns()
now defaults to denying lookups of reserved IP ranges and the filter has been updated to deny additional reserved IP ranges, as specified by the IANA. Self hosted administrators can specify their own filters by using the environment variablesIP_FILTER_IDP
,IP_FILTER_RDNS
, andIP_FILTER_RDNS_SERVER
respectively.The split by AWS record setting within ingest feeds will now accept numbers with leading zeros.
The
missing-cluster-nodes
metric will now track the nodes that are missing heartbeat data in addition to the nodes that have outdated heartbeat data. The newmissing-cluster-nodes-stateful
metric will track the registered nodes with outdated/missing heartbeat data that can write to global.For more information, see Node-Level Metrics.
Queries are now allowed to be queued for start by the query coordinator for a maximum of 10 minutes.
For more information, see Query Coordination.
Bug Fixes
UI Changes
Field aliases could not be read on the sandbox repository. This issue is now fixed.
CSV files produced by LogScale for sending as attachments from email actions or uploaded through a LogScale Repository action could contain values where part of the text was duplicated. This would only happen for values that needed to be quoted. This issue is now fixed.
Automation and Alerts
Filter Alerts with field-based throttling could trigger on two events with the same value for the throttle field, if actions were slow. This issue is now fixed.
Ingestion
Cloning a parser from the UI would not clone the fields to be removed before parsing. This issue is now fixed.
Fixed an issue that prevented the creation of Netflow/UDP protocol ingest listeners.
Dashboards and Widgets
A dashboard with fixed shared time as default would not update correctly when selecting a new relative time. This issue is now fixed.
Other
An issue with the IOC Configuration causing the local database to update too often has now been fixed.
Multiple clients might trigger concurrent computation of the result step for a shared query. This issue has been fixed: now only one pending computation is allowed at a time.
Packages
Updating a package could fail, if one of the assets from the package had been deleted from the view where the package was installed. This issue has been fixed.
When attempting to upload a package disguised as a folder, some browsers would get a generic error messages. To fix this issue, only zip files are accepted now.
Public Preview
Functions
A new query function
readFile()
is released in Public Preview. It allows using a CSV Lookup File as data input for a query.For more information, see
readFile()
.
Improvement
Storage
Moved the work of creating a global snapshot for upload to bucket storage from the thread coordinating segment uploads/downloads to a separate thread. This improves the reliability of uploading and download the global snapshot to/from bucket storage.
SegmentChangesJobTrigger
has been disabled on nodes configured to not be able to store segments, thus saving some CPU time.
Configuration
The default value for
AUTOSHARDING_MAX
has changed from 128 to 1,024.The default maximum limit for
groupBy()
has been increased from 200,000 to 1,000,000, meaning that this function can now be asked to collect up to a million groups. However, due to stability concerns it will not allowgroupBy()
to return the full million rows as a result when this function is the last aggregator: this is governed by theQueryResultRowCountLimit
dynamic configuration, which remains unchanged. Therefore, this new limit is best utilized whengroupBy()
is used as a computational tool for creating groups that are then later aggressively filtered and/or aggregated down in size. If you experience resource strain or starvation on your cluster, you can reduce the maximum limit via theGroupMaxLimit
dynamic configuration.The default value for
AUTOSHARDING_TRIGGER_DELAY_MS
has changed from 1 hour to 4 hours.The default memory limit for the query coordinator node has been increased from 400 MB to 4 GB. This new limit allows each query to use up to 1 GB of memory and thus produce more results, at the cost of taking up more resources. This in turn indirectly limits the amount of concurrent queries as the query scheduler may choose not to run a given query before existing queries have completed. If you experience resource strain or starvation on your cluster, you can reduce the memory limit by setting the
QueryCoordinatorMemoryLimit
dynamic configuration to 400,000,000.
Functions
Live queries now restart and run with the updated version of a saved query when the saved query changes.
For more information, see User Functions (Saved Searches).
Reduction of memory requirements when processing empty arrays in functions that accept them. This helps reduce the memory required to use these functions with empty arrays.
Other
Improved handling of segments being replaced due to either merging or event redaction, to address rare cases of event duplication when segments are replaced multiple times shortly after each other.