Falcon LogScale 1.109.0 Preview (2023-09-26)

VersionTypeRelease DateAvailabilityEnd of SupportSecurity UpdatesUpgrades FromJDK CompatibilityReq. Data MigrationConfig. Changes
1.109.0Preview2023-09-26Cloud, On-Prem2024-11-15No1.70.017NoNo

Bug fixes and updates.

Advanced Warning

The following items are due to change in a future release.

  • Automation and Alerts

    • In LogScale version 1.112 we will change how standard alerts handle query warnings. Currently, LogScale will only trigger alerts if there are no query warnings. Starting with upcoming 1.112, alerts will trigger despite most query warnings, and the alert status will show a warning instead of an error.

      Up until now, all query warnings have been treated as errors. This means that the alert does not trigger even though it produces results, and the alert is shown with an error in LogScale. Most query warnings mean that not all data was queried. The current behaviour prevents the alert from triggering in cases where it would not have, if all data had been available. For instance, an alert that would trigger if a count of events dropped below a threshold. On the other hand, it makes some alerts not trigger, even though they would still have if all data was available. That means that currently you will almost never get an alert that you should not have gotten, but you will sometime not get an alert that you should have gotten. We plan to revert this.

      When this change happens, we no longer recommend to set the configuration option ALERT_DESPITE_WARNINGS to true, since it treats all query warnings as non-errors, and there are a few query warnings that should make the alert fail.

Upgrades

Changes that may occur or be required during an upgrade.

  • Configuration

    • Docker containers have been upgraded to Java 21.

Improvements, new features and functionality

  • Automation and Alerts

    • When creating or updating Scheduled Searches using the GraphQL API, it is now possible to refer to actions in Packages using a qualified name of \"packagescope/packagename:actionname\". Actions in packages will no longer be found if using an unqualified name.

    • The UI flow for Scheduled Searches has been updated: when you click on New Scheduled Search it will directly go to the New Scheduled Search form.

    • The new button Import from has been added to the Scheduled Searches form allowing importing a Scheduled Search from template or package.

    • When generating CSV files for attaching to emails or uploading to LogScale in actions, or when using the message template {events_html}, the field @ingesttimestamp is now formatted similar to how @timestamp is.

  • Configuration

  • Log Collector

    • The Fleet Management tab on Fleet Overview page is now renamed to Data Ingest.

  • Functions

Bug Fixes

  • Automation and Alerts

    • Filter alerts that could fail right after a cluster restart have now been fixed.

  • Other

    • A cluster with very little disk space left could result in excessive logging from com.humio.distribution.RendezvousSegmentDistribution.

  • Packages

    • Updating a package with a lookup file and a parser/scheduled search/filter alert/alert containing match would fail if the new column parameter did not exist in the old lookup file. This issue has now been fixed.