Falcon LogScale 1.100.0 LTS (2023-08-16)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Config. Changes? |
|---|---|---|---|---|---|---|---|
| 1.100.0 | LTS | 2023-08-16 | Cloud | 2024-08-31 | No | 1.44.0 | No |
| TAR Checksum | Value |
|---|---|
| MD5 | 21d63c1c73f770ef58d5adc06ea1841d |
| SHA1 | fafb23178c2ed5dc84dab13265f7dc89b8940de2 |
| SHA256 | d51e51ae8e8301044be0bd3c617bde63a6f83b787ded74b61e8e5ded573cad15 |
| SHA512 | f0f0b76ceef499ccfe0f1090b0fcaba3fcb16b1cdd61d6d1420d1f3ae84267c251778fc6bd4a1b982fc31c2e5d05af69f784d60daa876101190b3ecb21b53388 |
| Docker Image | SHA256 Checksum |
|---|---|
| humio | fae9d70da0bfe10cb6502029cf0eeb23787f1af56fb773ad894b285052b9f9af |
| humio-core | 4ddd216beb45f6bd70f59b0137fb8a36f5b32dfecfebb427059b97b118521d16 |
| kafka | 11eb764c06ea5015fc803453c43ea38c034ed66c807aa46ef273d2bf406c7986 |
| zookeeper | 1f6d7261f2e2970dd4c67812d5103d3c5dbc228b27f45e18cecf4ab74335969a |
Download: https://repo.humio.com/repository/maven-releases/com/humio/server/1.100.0/server-1.100.0.tar.gz
Bug fixes and updates.
Advance Warning
The following items are due to change in a future release.
Installation and Deployment
Support for running on Java 11, 12, 13, 14, 15 and 16 will be removed by the end of September 2023.
Removed
Items that have been removed as of this release.
GraphQL API
The deprecated
RegistryPackagedatatype has been deleted, along with the deprecated mutations and fields using it:
installPackageFromRegistry mutation
updatePackageFromRegistry mutation
package in the
Searchdomaindatatype
Upgrades
Changes that may occur or be required during an upgrade.
Installation and Deployment
Permit running LogScale on Java 20. Docker containers have been upgraded to be based on Java 20.
Other
The Kafka client has been upgraded to 3.4.1. The Kafka broker has been upgraded to 3.4.1 in the Kafka container.
New features and improvements
Security
All view permission tokens created from now on will not be able to run queries based on the user who created it (legacy behavior due to user requirement for queries). They will however be able to run queries on behalf of the organization given the right permissions.
Existing view permission tokens and the resources (scheduled searches, alerts, etc.) are unaffected by this change. For any view permission tokens created after this change, the scheduled searches, alerts, etc. created using these tokens, will run based on the organization instead of the user who created the token.
This addresses the issue where, for example, alerts created using a view permission token would fail to run if the user who created the token was removed from the organization or if the permissions needed to run the alert was removed from the user. With the new behaviour the alert will continue working even though the user is removed or looses the required permissions to run the alert.
In the unlikely event where an external actor hits the audit log without an IP set, we will now log
nullinstead of defaulting to the local IP.Migration from the legacy Organization Shared Dashboard IP filter to the Dashboard Security Policies for sharing dashboards will be done by Creating an IP Filter corresponding to the old filter. If the migration can be performed, this IP Filter will be set on all shared dashboards and set as the Shared Dashboard IP filter Security Policy for the organization. If migration cannot be done, a notification will be displayed to the organization owner explaining how to complete the migration manually. Migration cannot be done when there is a shared Dashboard that has an IP filter other than the legacy Organization Shared Dashboard IP filter.
Introducing organization query ownership, permission tokens and organization level security policies features.
For more information, see Organization Owned Queries, Repository & View Permissions, Security Policies.
UI Changes
Organization and system level permissions can now be handled through the UI.
When duplicating an alert, you are now redirected straight to the New alert page.
For more information, see Reusing an Alert.
Filter alerts now have an updated In preview label which no longer behaves like a button but shows a message when hovering over.
Automation and Alerts
More attributes have been added to Filter alerts:
Filter alerts will now be able to catch up with up to 24 hours of delay (ingest delays + delays in actions).
Filter alerts will now trigger on events that are unavailable for up to 10 minutes due to query warnings.
For more information, see Filter Alerts.
A new / option has been added for Alerts and Scheduled Searches.
For more information, see Managing Alerts.
Improvements have been made in the UI:
When Creating an Alert from a Query, the alert type — Standard or Filter — is auto-selected based on query detection.
Added a trigger limit field in the Filter Alerts form.
Actions are now selected in Alerts and Scheduled Searches forms using a ComboBox component.
Changed the behaviour of the + button for Actions selection in the Alerts and Scheduled Searches forms; it will now take you to the form where you create a new action instead of adding an action to that entity.
GraphQL API
For the updateMaxAutoShardCount and blockIngest GraphQL mutations, it is no longer required to be root, instead the caller must have the
ManageClusterpermission.The userId input field on the updateDashboardToken mutation is now optional and deprecated in favor of the queryOwnershipType field. If userId is set to anything else than the calling user ID, an exception will be thrown.
A GraphQL API has been added to read the current tag groupings on a repository.
For more information, see repository() .
QueryOnlyAccessTokens GraphQL query field previously used for a prototype has now been removed.
API
For auto sharding operations (
GET,UPDATE,DELETE) in Cluster Management API it is no longer required to be root, instead the caller must have theManageClusterpermission.
Configuration
The following configuration parameters have been added:
FILTER_ALERTS_MAX_CATCH_UP_LIMITto set how long back filter alerts will be able to catch up with delays.FILTER_ALERTS_MAX_WAIT_FOR_MISSING_DATAto set for how long filter alerts will wait for query warnings about missing data to disappear.
The following configuration parameters for storage concurrency are now deprecated:
GCP_STORAGE_UPLOAD_CONCURRENCYGCP_STORAGE_DOWNLOAD_CONCURRENCY
They are replaced by new variables:
If unassigned, the new variables will populate with the largest value from the deprecated variables, until these are removed.
The new configuration parameters
FILTER_ALERT_MAX_EMAIL_TRIGGER_LIMITandFILTER_ALERT_MAX_NON_EMAIL_TRIGGER_LIMITnow allow setting the trigger limit for filter alerts; the allowed value depends on whether the alert has email actions attached or not.Introduced the new Dynamic Configuration option
QueryPartitionAutoBalancewhich turns on/off automatic balancing of query partitions across nodes.For more information, see Dynamic Configuration Parameters.
Dashboards and Widgets
When clicking on a dashboard widget, the query will now use the live setting of the dashboard. Also, parameter values are carried over.
For more information, see Manage Widgets.
Log Collector
A new fleet metric has been added to the
Fleet overviewpage.For more information, see Falcon Log Collector Manage your Fleet.
Quick filters have been added on
Fleet Overview(Status and Config) and onConfig overview(Status) pages.For more information, see Falcon Log Collector Manage your Fleet.
A menu item has been added to
Fleet Overviewpage, which now allows to unenroll a collector from Fleet Management.For more information, see Manage Falcon Log Collector Instance Enrollment.
Functions
Parameter
ignoreCasehas been added to thein()function, to allow for case-insensitive searching. Default is to case sensitively search for the provided values.Changed the approximation algorithm used for counting distinct values in
count(myField, distinct=true)andfieldstats(). Any query using one of the aforementioned functions may report a different number, which in most cases will be more accurate than previous estimates.
Other
License keys using the format applied before 2021 are no longer supported. Obsolete license formats start with the string
eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9. If your license key is obsolete, before you upgrade LogScale contact Support to request an equivalent license key that has the new format. All versions of LogScale since 2020 support the new license key format.For more information, see License Installation.
Tag groupingspage is now available under the repository Settings tab to see the tag groupings which are currently in use on a repository.
Fixed in this release
Security
Hidden validation issues that would prevent from saving changes to Security Policies configuration have now been fixed.
UI Changes
Fixed an issue where query parameters would be extracted from comments in the query.
Fixed an error that was thrown when attempting to export fields to CSV containing spaces.
Fixed the default query prefixes which would override exceptions to default role bindings if no query prefix is set in the exceptions. The default query prefix set in the default role will now only impact views that are not defined as an exception to the default rule.
Automation and Alerts
Filter alerts with a query ending with a comment would not run. This issue has now been fixed.
GraphQL API
The GraphQL query used by the front page could not return all views and repositories a user had access to, because of an issue with the default roles on groups. This issue has now been fixed.
Configuration
Wrong behaviour in the
StaticQueryFractionOfCoresdynamic configuration. The intent of this configuration is to limit queries from one organization (user on single-organization clusters) to run on a certain percentage of mapper threads at most, effectively throttling queries to prevent one organization from consuming all capacity. Throttled queries from one organization could still block queries from other organizations and prevent them from running, leaving mapper threads idle: this behaviour has now been fixed.
Ingestion
A 500 status code was issued when ingesting to
/api/v1/ingest/jsonwith no assigned parser. It now ingests the rawstring.
Dashboards and Widgets
When Using Saved Queries in Interactions, the interaction would not be kept if the saved query was created from template with the button. This issue is now fixed.
Description tips that were partly hidden in
Tablewidgets are now correctly visualized in dashboards.Fixed the parameter form which could not be opened when asterisks were used as quoted identifiers in the query.
On charts, the legend tooltip was sometimes hidden towards the bottom of the chart. It has now been fixed to stay within the chart boundaries.
The rendering of JSON in the
Event Listwidget is now faster and consumes less memory.In Dashboard Link Interactions, the targeted dashboard could not display correctly if the dashboard was renamed. The issue has been fixed by using the dashboard ID instead of the name as reference.
When using the
sort()function with theBar Chartwidget, it would only stay sorted for a while. The issue has been fixed and it now remains sorted in the same order as the underlying data.
Functions
Fixed an issue where syntax coloring and code completion would stop working in certain cases (using multiple saved queries, or aggregate function in
case).Fixed
bucket()andtimeChart()functions as they could lead to partially missing results when used in combination withwindow().
Other
BucketStorageUploadLatencyJobcould incorrectly report that LogScale was falling behind on bucket uploads. This issue has been fixed.
Packages
Upgrading a Package could result in a conflict for unchanged items when those items had fields beginning or ending with spaces. This issue has now been fixed.