Falcon LogScale 1.109.0 Preview (2023-09-26)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | JDK Compatibility? | Req. Data Migration | Config. Changes? |
|---|---|---|---|---|---|---|---|---|---|
| 1.109.0 | Preview | 2023-09-26 | Cloud On-Prem | 2024-11-30 | No | 1.70.0 | 17-21 | No | No |
Bug fixes and updates.
Advanced Warning
The following items are due to change in a future release.
Automation and Alerts
In LogScale version 1.112 we will change how standard alerts handle query warnings. Currently, LogScale will only trigger alerts if there are no query warnings. Starting with upcoming 1.112, alerts will trigger despite most query warnings, and the alert status will show a warning instead of an error.
Up until now, all query warnings have been treated as errors. This means that the alert does not trigger even though it produces results, and the alert is shown with an error in LogScale. Most query warnings mean that not all data was queried. The current behaviour prevents the alert from triggering in cases where it would not have, if all data had been available. For instance, an alert that would trigger if a count of events dropped below a threshold. On the other hand, it makes some alerts not trigger, even though they would still have if all data was available. That means that currently you will almost never get an alert that you should not have gotten, but you will sometime not get an alert that you should have gotten. We plan to revert this.
When this change happens, we no longer recommend to set the configuration option
ALERT_DESPITE_WARNINGStotrue, since it treats all query warnings as non-errors, and there are a few query warnings that should make the alert fail.
Upgrades
Changes that may occur or be required during an upgrade.
Configuration
Docker containers have been upgraded to Java 21.
Improvements, new features and functionality
Automation and Alerts
The new button has been added to the Scheduled Searches form allowing importing a Scheduled Search from template or package.
When creating or updating Scheduled Searches using the GraphQL API, it is now possible to refer to actions in Packages using a qualified name of
\"packagescope/packagename:actionname\". Actions in packages will no longer be found if using an unqualified name.When generating CSV files for attaching to emails or uploading to LogScale in actions, or when using the message template {events_html}, the field @ingesttimestamp is now formatted similar to how @timestamp is.
The UI flow for Scheduled Searches has been updated: when you click on it will directly go to the New Scheduled Search form.
Configuration
LOCAL_STORAGE_PREFILL_PERCENTAGEnew configuration option has been added.For more information, see
LOCAL_STORAGE_PREFILL_PERCENTAGE.Set the default value of
LOCAL_STORAGE_PERCENTAGEto85, and the minimum value to0. The default was previously to leave this unset, which is not safe in clusters where bucket storage contains more data than will fit on local drives.
Log Collector
The Fleet Management tab on
Fleet Overviewpage is now renamed to Data Ingest.
Functions
parseCEF()andparseLEEF()functions now have an option to change the prefix of the header fields.
Bug Fixes
Automation and Alerts
Filter alerts that could fail right after a cluster restart have now been fixed.
Other
A cluster with very little disk space left could result in excessive logging from
com.humio.distribution.RendezvousSegmentDistribution.
Packages
Updating a package with a lookup file and a parser/scheduled search/filter alert/alert containing match would fail if the new
columnparameter did not exist in the old lookup file. This issue has now been fixed.