Falcon LogScale 1.100.0 Stable (2023-08-16)

Version?Type?Release Date?Availability?End of Support







Req. Data






TAR ChecksumValue
Docker ImageSHA256 Checksum

Download: https://repo.humio.com/repository/maven-releases/com/humio/server/1.100.0/server-1.100.0.tar.gz

Bug fixes and updates.

Advanced Warning

The following items are due to change in a future release.

  • Installation and Deployment

    • Support for running on Java 11, 12, 13, 14, 15 and 16 will be removed by the end of September 2023.


Items that have been removed as of this release.


  • The deprecated RegistryPackage datatype has been deleted, along with the deprecated mutations and fields using it:

    • installPackageFromRegistry mutation

    • updatePackageFromRegistry mutation

    • package in the Searchdomain datatype


Changes that may occur or be required during an upgrade.

  • Installation and Deployment

    • Permit running LogScale on Java 20. Docker containers have been upgraded to be based on Java 20.

  • Other

    • The Kafka client has been upgraded to 3.4.1. The Kafka broker has been upgraded to 3.4.1 in the Kafka container.

Improvements, new features and functionality

  • Security

    • All view permission tokens created from now on will not be able to run queries based on the user who created it (legacy behavior due to user requirement for queries). They will however be able to run queries on behalf of the organization given the right permissions.

      Existing view permission tokens and the resources (scheduled searches, alerts, etc.) are unaffected by this change. For any view permission tokens created after this change, the scheduled searches, alerts, etc. created using these tokens, will run based on the organization instead of the user who created the token.

      This addresses the issue where, for example, alerts created using a view permission token would fail to run if the user who created the token was removed from the organization or if the permissions needed to run the alert was removed from the user. With the new behaviour the alert will continue working even though the user is removed or looses the required permissions to run the alert.

    • In the unlikely event where an external actor hits the audit log without an IP set, we will now log null instead of defaulting to the local IP.

    • Migration from the legacy Organization Shared Dashboard IP filter to the Dashboard Security Policies for sharing dashboards will be done by Creating an IP Filter corresponding to the old filter. If the migration can be performed, this IP Filter will be set on all shared dashboards and set as the Shared Dashboard IP filter Security Policy for the organization. If migration cannot be done, a notification will be displayed to the organization owner explaining how to complete the migration manually. Migration cannot be done when there is a shared Dashboard that has an IP filter other than the legacy Organization Shared Dashboard IP filter.

    • Introducing organization query ownership, permission tokens and organization level security policies features.

      For more information, see Organization Owned Queries, Repository & View Permissions, Security Policies.

  • UI Changes

    • Organization and system level permissions can now be handled through the UI.

    • When duplicating an alert, you are now redirected straight to the New alert page.

      For more information, see Reusing an Alert.

    • Filter alerts now have an updated In preview label which no longer behaves like a button but shows a message when hovering over.

  • Automation and Alerts

    • More attributes have been added to Filter alerts:

      • Filter alerts will now be able to catch up with up to 24 hours of delay (ingest delays + delays in actions).

      • Filter alerts will now trigger on events that are unavailable for up to 10 minutes due to query warnings.

      For more information, see Filter Alerts.

    • A new Enable/Disable option has been added for Alerts and Scheduled Searches.

      For more information, see Managing Alerts.

    • Improvements have been made in the UI:

  • GraphQL API

    • For the updateMaxAutoShardCount and blockIngest GraphQL mutations, it is no longer required to be root, instead the caller must have the ManageCluster permission.

    • The userId input field on the updateDashboardToken mutation is now optional and deprecated in favor of the queryOwnershipType field. If userId is set to anything else than the calling user ID, an exception will be thrown.

    • A GraphQL API has been added to read the current tag groupings on a repository.

      For more information, see repository().

    • QueryOnlyAccessTokens GraphQL query field previously used for a prototype has now been removed.

  • Configuration

  • Dashboards and Widgets

    • When clicking Edit in search view on a dashboard widget, the query will now use the live setting of the dashboard. Also, parameter values are carried over.

      For more information, see Managing Widgets.

  • Log Collector

  • Functions

    • Parameter ignoreCase has been added to the in() function, to allow for case-insensitive searching. Default is to case sensitively search for the provided values.

    • Changed the approximation algorithm used for counting distinct values in count(myField, distinct=true) and fieldstats(). Any query using one of the aforementioned functions may report a different number, which in most cases will be more accurate than previous estimates.

  • Other

    • License keys using the format applied before 2021 are no longer supported. Obsolete license formats start with the string eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9. If your license key is obsolete, before you upgrade LogScale contact Support to request an equivalent license key that has the new format. All versions of LogScale since 2020 support the new license key format.

      For more information, see License Installation.

    • For auto sharding operations (GET, UPDATE, DELETE) in Cluster Management API it is no longer required to be root, instead the caller must have the ManageCluster permission.

    • Tag groupings page is now available under the repository Settings tab to see the tag groupings which are currently in use on a repository.

Bug Fixes

  • Security

    • Hidden validation issues that would prevent from saving changes to Security Policies configuration have now been fixed.

  • UI Changes

    • Fixed an issue where query parameters would be extracted from comments in the query.

    • Fixed an error that was thrown when attempting to export fields to CSV containing spaces.

    • Fixed the default query prefixes which would override exceptions to default role bindings if no query prefix is set in the exceptions. The default query prefix set in the default role will now only impact views that are not defined as an exception to the default rule.

  • Automation and Alerts

    • Filter alerts with a query ending with a comment would not run. This issue has now been fixed.

  • GraphQL API

    • The GraphQL query used by the front page could not return all views and repositories a user had access to, because of an issue with the default roles on groups. This issue has now been fixed.

  • Configuration

    • Wrong behaviour in the StaticQueryFractionOfCores dynamic configuration. The intent of this configuration is to limit queries from one organization (user on single-organization clusters) to run on a certain percentage of mapper threads at most, effectively throttling queries to prevent one organization from consuming all capacity. Throttled queries from one organization could still block queries from other organizations and prevent them from running, leaving mapper threads idle: this behaviour has now been fixed.

  • Dashboards and Widgets

    • When Using Saved Queries in Interactions, the interaction would not be kept if the saved query was created from template with the + Create from package button. This issue is now fixed.

    • Description tips that were partly hidden in Table widgets are now correctly visualized in dashboards.

    • Fixed the parameter form which could not be opened when asterisks were used as quoted identifiers in the query.

    • On charts, the legend tooltip was sometimes hidden towards the bottom of the chart. It has now been fixed to stay within the chart boundaries.

    • The rendering of JSON in the Event List widget is now faster and consumes less memory.

    • In Dashboard Link Interactions, the targeted dashboard could not display correctly if the dashboard was renamed. The issue has been fixed by using the dashboard ID instead of the name as reference.

    • When using the sort() function with the Bar Chart widget, it would only stay sorted for a while. The issue has been fixed and it now remains sorted in the same order as the underlying data.

  • Functions

    • Fixed an issue where syntax coloring and code completion would stop working in certain cases (using multiple saved queries, or aggregate function in case).

    • Fixed bucket() and timeChart() functions as they could lead to partially missing results when used in combination with window().

  • Other

    • A 500 status code was issued when ingesting to /api/v1/ingest/json with no assigned parser. It now ingests the rawstring.

    • BucketStorageUploadLatencyJob could incorrectly report that LogScale was falling behind on bucket uploads. This issue has been fixed.

  • Packages

    • Upgrading a Package could result in a conflict for unchanged items when those items had fields beginning or ending with spaces. This issue has now been fixed.