Falcon LogScale 1.106.2 Stable (2023-09-27)

Version?Type?Release Date?Availability?End of Support







Req. Data






TAR ChecksumValue
Docker ImageSHA256 Checksum

Download: https://repo.humio.com/repository/maven-releases/com/humio/server/1.106.2/server-1.106.2.tar.gz

Bug fixes and updates.

Advanced Warning

The following items are due to change in a future release.

  • Installation and Deployment

    • Support for running on Java 11, 12, 13, 14, 15 and 16 will be removed by the end of September 2023.

  • Automation and Alerts

    • In LogScale version 1.112 we will change how standard alerts handle query warnings. Currently, LogScale will only trigger alerts if there are no query warnings. Starting with upcoming 1.112, alerts will trigger despite most query warnings, and the alert status will show a warning instead of an error.

      Up until now, all query warnings have been treated as errors. This means that the alert does not trigger even though it produces results, and the alert is shown with an error in LogScale. Most query warnings mean that not all data was queried. The current behaviour prevents the alert from triggering in cases where it would not have, if all data had been available. For instance, an alert that would trigger if a count of events dropped below a threshold. On the other hand, it makes some alerts not trigger, even though they would still have if all data was available. That means that currently you will almost never get an alert that you should not have gotten, but you will sometime not get an alert that you should have gotten. We plan to revert this.

      When this change happens, we no longer recommend to set the configuration option ALERT_DESPITE_WARNINGS to true, since it treats all query warnings as non-errors, and there are a few query warnings that should make the alert fail.

Improvements, new features and functionality

  • Installation and Deployment

    • The following adjustments have been made to the launcher script:

      • Removed UnlockDiagnosticVMOptions

      • Raised default heap size to 75% of host memory, up from 50%

      • Move -XX:CompileCommand settings into the mandatory launch options, to prevent accidentally removing them when customizing HUMIO_JVM_PERFORMANCE_OPTS

      • Set -XX:MaxDirectMemorySize to 1/5GB per CPU core as a default.

      • Print a warning if the sum of the heap size and the direct memory setting exceeds the total available memory.

  • UI Changes

    • The Show in context dialog now closes when the Search button in the dialog is clicked.

    • The fields and values in the Fields Panel and in the Event List are now sorted case-insensitively.

  • Automation and Alerts

    • It is now possible to import and export Filter Alerts in Packages from the UI.

    • When creating or updating Filter Alerts using the GraphQL API, it is now possible to refer to actions in Packages using a qualified name of \"packagescope/packagename:actionname\". Actions in packages will no longer be found if using an unqualified name.

    • The UI flow for Alerts has been updated — when you click on New alert you are directly presented with the New alertform.

    • Importing an alert from template or package is done from the new Import from button now located on top of the New alert form.

    • When installing or updating a package with an Alert or Scheduled search referencing an action that is not part of the package, the error is now shown in the UI. Previously, a generic error was shown.

    • Added a status field to some of the logs for Standard Alerts and Filter Alerts as well as Scheduled Searches. The field shows whether the current run of the job resulted in a Success or Failure for the Alert or Scheduled Search.

      For more information, see Monitoring Alert Execution through the humio-activity Repository.

    • When installing a package, all actions referenced by Alerts and Scheduled searches in the package must be contained in the packages. Previously, missing actions were just ignored.

    • It is now possible to create Packages containing Filter Alerts, as well as importing such packages, using the API.

  • GraphQL API

    • The following GraphQL mutations have been changed so that the actions field can either contain IDs or names of actions:

      • createAlert

      • updateAlert

      • createScheduledSearch

      • updateScheduledSearch

  • Configuration

  • Dashboards and Widgets

    • The text color styling option of the Note Widget is now included when importing a dashboard template or exporting it to a yaml file.

    • Increased to 10,000 the maximum amount of entries suggested in the dropdown of a parameter field of type File Parameter.

  • Log Collector

    • You can now toggle columns on the instance table, hereby specifying which information should be shown.

    • In Fleet Management, it is now possible to discard the draft of a configuration and rollback to the published version.

      For more information, see Editing a Remote Configuration.

  • Functions

    • The rename() function has been enhanced: it is now possible to rename multiple fields using an array in its field argument. This is backwards compatible with giving separate field and as arguments.

    • The new query function wildcard() is introduced. This function makes it easy to search for case-insensitive patterns on dashboards, or in ad-hoc queries.

    • The new query function crypto:md5() is introduced. This function computes the MD5 hash of a given array of fields.

    • Support for decimal values as exponent and divisor is now added in math:pow() and math:mod() functions respectively.

    • The memory consumption of the formatTime() function has been decreased.

  • Other

    • The ability to remove fields during when parsing data has been enabled for all users.

      For more information, see Removing Fields.

    • Audit logs for Ingest Tokens now include the ingest token name.

Bug Fixes

  • UI Changes

    • The URL would not be updated when selecting a time interval in the distribution chart on the Search page. This issue is now fixed.

  • Automation and Alerts

    • If polling queries were slow, then Scheduled Searches could fire twice. This issue is now fixed.

    • Filter Alerts installed from a package would show up under General and not under the Package name. This issue has been fixed.

    • Falcon LogScale repository actions have now been fixed for cases where they would ingest data into a repository even though ingest was blocked.

    • With Scheduled Searches installed from a package, if you edited the scheduled search and then updated the package, then you would get two copies of the scheduled search. This issue is now fixed.

    • Changes to uploaded files due to a package update would be kept even though the package update failed and other changes were rolled back. This wrong behavior has been fixed.

  • Dashboards and Widgets

    • Queries on a dashboard have been fixed as they would be invalid if the dashboard filter contained a single-line comment.

    • Widgets description tips on dashboards have been fixed as they would not show or have the same text for multiple widgets.

    • If you chose a page size larger than the number of rows, the page number and page size buttons would disappear. The Table widget now always shows the pagination buttons on the Search page where auto page size is turned off. On the dashboard, where auto page size is turned on, the existing behaviour remains.

  • Log Collector

    • Fleet Overview in Fleet Management hangs and doesn't display any data. This behavior has been fixed.

  • Functions

    • Fixed a bug where join() queries could result in a memory leak from their sub queries not being properly cleaned up.

    • The hash() query function would sometimes compute incorrect hashes when the field was formatted in UTF8. This is now fixed.

    • Fixed an issue that could result in cluster performance degradation using join() under certain circumstances.

    • Field names in the query used to export results to CSV had not been quoted correctly: they have now been fixed.

    • The format() function has been fixed as the US date format modifier resulted in the EU date format instead.

  • Other

    • The following repository issues have been fixed:

      • After multiple attemps in quick succession to create a repository with the same name, repositories would become inaccessible.

      • Some repositories could only be created partially and would be left as partially initialized in LogScale Internal Architecture used by LogScale.