Falcon LogScale 1.106.6 LTS (2024-01-22)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Config. Changes? |
|---|---|---|---|---|---|---|---|
| 1.106.6 | LTS | 2024-01-22 | Cloud | 2024-09-30 | No | 1.70.0 | No |
Hide file hashes
| TAR Checksum | Value |
|---|---|
| MD5 | 731ff35cbdf1b8239240a23e960f61b1 |
| SHA1 | 98de7c0b7ce4c381065b74806ac78fd6cdee32ba |
| SHA256 | 92392ab60d33e766199ad07c00e9f55020cca33711580ec5b637350608530db3 |
| SHA512 | 06d18de13a169cb89811abaa0f89a4824ee208bb9efb76cad950ba770758dbc7c42297eec6cf982d48abadbfd76af3e51b558a0b26ce4e5f75b1e32280545d51 |
| Docker Image | SHA256 Checksum |
|---|---|
| humio | c6000d8e21b4670a537992438d38db8e6912679a1bb8ab5fae3850271c174ed3 |
| humio-core | 9f8d3e32abe2c2ca4402d0a91adf4780556f40041fdd5a385387bfcbf205d9df |
| kafka | b955111d2e83b1838cb3d266f3b121424de82114189fd5d4f6001f38619304c4 |
| zookeeper | 05f6801ef1035b76a7224dd0b088c549708d3c88d176854330b6f068a00e4b7d |
Download: https://repo.humio.com/repository/maven-releases/com/humio/server/1.106.6/server-1.106.6.tar.gz
These notes include entries from the following previous releases: 1.106.2, 1.106.4, 1.106.5
Bug fixes and updates.
Advance Warning
The following items are due to change in a future release.
Installation and Deployment
Support for running on Java 11, 12, 13, 14, 15 and 16 will be removed by the end of September 2023.
Automation and Alerts
In LogScale version 1.112 we will change how standard alerts handle query warnings. Currently, LogScale will only trigger alerts if there are no query warnings. Starting with upcoming 1.112, alerts will trigger despite most query warnings, and the alert status will show a warning instead of an error.
Up until now, all query warnings have been treated as errors. This means that the alert does not trigger even though it produces results, and the alert is shown with an error in LogScale. Most query warnings mean that not all data was queried. The current behaviour prevents the alert from triggering in cases where it would not have, if all data had been available. For instance, an alert that would trigger if a count of events dropped below a threshold. On the other hand, it makes some alerts not trigger, even though they would still have if all data was available. That means that currently you will almost never get an alert that you should not have gotten, but you will sometime not get an alert that you should have gotten. We plan to revert this.
When this change happens, we no longer recommend to set the configuration option
ALERT_DESPITE_WARNINGStotrue, since it treats all query warnings as non-errors, and there are a few query warnings that should make the alert fail.
Upgrades
Changes that may occur or be required during an upgrade.
Security
xmlsec has been upgraded to 2.3.4 to address CVE-2023-44483 issue.
New features and improvements
Installation and Deployment
The following adjustments have been made to the launcher script:
Removed UnlockDiagnosticVMOptions
Raised default heap size to 75% of host memory, up from 50%
Move -XX:CompileCommand settings into the mandatory launch options, to prevent accidentally removing them when customizing
HUMIO_JVM_PERFORMANCE_OPTSSet -XX:MaxDirectMemorySize to 1/5GB per CPU core as a default.
Print a warning if the sum of the heap size and the direct memory setting exceeds the total available memory.
UI Changes
The Show in context dialog now closes when the button in the dialog is clicked.
The fields and values in the Fields Panel and in the Event List are now sorted case-insensitively.
Automation and Alerts
It is now possible to import and export Filter Alerts in Packages from the UI.
When creating or updating Filter Alerts using the GraphQL API, it is now possible to refer to actions in Packages using a qualified name of
\"packagescope/packagename:actionname\". Actions in packages will no longer be found if using an unqualified name.The UI flow for Alerts has been updated — when you click on you are directly presented with the New alertform.
Importing an alert from template or package is done from the new button now located on top of the New alert form.
When installing or updating a package with an Alert or Scheduled search referencing an action that is not part of the package, the error is now shown in the UI. Previously, a generic error was shown.
Added a status field to some of the logs for Standard Alerts and Filter Alerts as well as Scheduled Searches. The field shows whether the current run of the job resulted in a
SuccessorFailurefor the Alert or Scheduled Search.For more information, see Monitoring Alert Execution through the humio-activity Repository.
When installing a package, all actions referenced by Alerts and Scheduled searches in the package must be contained in the packages. Previously, missing actions were just ignored.
It is now possible to create Packages containing Filter Alerts, as well as importing such packages, using the API.
GraphQL API
Added limits for GraphQL queries on the total number of selected fields and fragments. Defaults are
1000for authenticated and150for unauthenticated users.Cluster administrators can adjust these limits with the
GraphQLSelectionSizeLimitandUnauthenticatedGraphQLSelectionSizeLimitdynamic configurations.The following GraphQL mutations have been changed so that the actions field can either contain IDs or names of actions:
createAlert
updateAlert
createScheduledSearch
updateScheduledSearch
Configuration
GCS bucketing and query streaming now use the same proxy configuration as overall system proxy and S3 proxy. Example:
HTTP_PROXY_HOST,HTTP_PROXY_PORT,HTTP_PROXY_USERNAME,HTTP_PROXY_PASSWORD
Ingestion
The ability to remove fields when parsing data has been enabled for all users.
For more information, see Removing Fields.
Audit logs for Ingest Tokens now include the ingest token name.
Dashboards and Widgets
The text color styling option of the Note Widget is now included when importing a dashboard template or exporting it to a yaml file.
Increased to 10,000 the maximum amount of entries suggested in the dropdown of a parameter field of type File Parameter.
Log Collector
You can now toggle columns on the instance table, hereby specifying which information should be shown.
In Fleet Management, it is now possible to discard the draft of a configuration and rollback to the published version.
For more information, see Edit a Remote Configuration.
Functions
The
rename()function has been enhanced: it is now possible to rename multiple fields using an array in itsfieldargument. This is backwards compatible with giving separatefieldandasarguments.The new query function
wildcard()is introduced. This function makes it easy to search for case-insensitive patterns on dashboards, or in ad-hoc queries.The new query function
crypto:md5()is introduced. This function computes the MD5 hash of a given array of fields.Support for decimal values as exponent and divisor is now added in
math:pow()andmath:mod()functions respectively.The memory consumption of the
formatTime()function has been decreased.
Fixed in this release
UI Changes
Time Selector and date picker in the Time Interval panel have been fixed for issues related to daylight savings time.
The URL would not be updated when selecting a time interval in the distribution chart on the
Searchpage. This issue is now fixed.
Automation and Alerts
If polling queries were slow, then Scheduled Searches could fire twice. This issue is now fixed.
Filter Alerts installed from a package would show up under General and not under the Package name. This issue has been fixed.
Falcon LogScale repository actions have now been fixed for cases where they would ingest data into a repository even though ingest was blocked.
With Scheduled Searches installed from a package, if you edited the scheduled search and then updated the package, then you would get two copies of the scheduled search. This issue is now fixed.
Changes to uploaded files due to a package update would be kept even though the package update failed and other changes were rolled back. This wrong behavior has been fixed.
Dashboards and Widgets
Queries on a dashboard have been fixed as they would be invalid if the dashboard filter contained a single-line comment.
Widgets description tips on dashboards have been fixed as they would not show or have the same text for multiple widgets.
If you chose a page size larger than the number of rows, the page number and page size buttons would disappear. The
Tablewidget now always shows the pagination buttons on theSearchpage where auto page size is turned off. On the dashboard, where auto page size is turned on, the existing behaviour remains.
Log Collector
Fleet Overviewin Fleet Management hangs and doesn't display any data. This behavior has been fixed.
Functions
Fixed a bug where
join()queries could result in a memory leak from their sub queries not being properly cleaned up.The
hash()query function would sometimes compute incorrect hashes when the field was formatted in UTF8. This is now fixed.Fixed an issue that could result in cluster performance degradation using
join()under certain circumstances.Field names in the query used to export results to CSV had not been quoted correctly: they have now been fixed.
The
format()function has been fixed as the US date format modifier resulted in the EU date format instead.
Other
Fixing a race that can leave a query in a state where it will cause an excessive amount of 404 HTTP requests. This adds unnecessary noise and a bit of extra load to the system.
The following repository issues have been fixed:
After multiple attemps in quick succession to create a repository with the same name, repositories would become inaccessible.
Some repositories could only be created partially and would be left as partially initialized in LogScale Internal Architecture used by LogScale.