Falcon LogScale 1.112.0 Preview (2023-10-24)

Version?Type?Release Date?Availability?End of Support







Req. Data







Bug fixes and updates.

Behavior Changes

Scripts or environment which make use of these tools should be checked and updated for the new configuration:

  • Automation and Alerts

    • We have changed how Standard Alerts handle query warnings. Previously, LogScale only triggered alerts if there were no query warnings. Now, alerts will trigger despite most query warnings, and the alert status will show a warning instead of an error. Up until now, all query warnings were treated as errors. This meant that the alert did not trigger even though it produced results, and the alert was shown with an error in LogScale. Most query warnings mean that not all data was queried. The previous behaviour prevented the alert from triggering in cases where it would not have, if all data had been available. For instance, an alert that would trigger if a count of events dropped below a threshold. On the other hand, it made some alerts not trigger, even though they would still have if all data was available. That meant that previously you would almost never get an alert that you should not have gotten, but you would sometime not get an alert that you should have gotten. We have reverted this. With this change, we no longer recommend to set the configuration option ALERT_DESPITE_WARNINGS to true, since it treats all query warnings as non-errors, and there are a few query warnings that should make the alert fail.

      For more information, see Diagnosing Alerts.

Improvements, new features and functionality

  • Installation and Deployment

    • Configure LogScale to write fatal JVM error logs in the JVM logging directory, which is specified using JVM_LOG_DIR variable. The default directory is /logs/humio.

  • UI Changes

    • The behavior of the ComboBox has changed: the drop-down is not filtered until the text in the filter field has been edited, allowing you to easily copy, alter or clear the text.

    • The list of permissions now has a specific custom order in the UI, as follows.

      • Organization:

        1. Organization settings

        2. Repository and view management

        3. Permissions and user management

        4. Fleet management

        5. Query monitoring

        6. Other

      • Cluster management:

        1. Cluster management

        2. Organization management

        3. Subdomains

        4. Others

    • A combined view of permissions is now available to show all roles listed together when there is more than one role under each repository, organization, or system.

      For more information, see Aggregate Permissions.

  • Automation and Alerts

    • The Alert forms will not show any errors when the alert is disabled.

  • Dashboards and Widgets

    • You can enable the export of Dashboards to a PDF file, with many options available to control the output layout and formatting.

      The feature is available to all users who already have access to dashboard data. This is the first of two feature releases, aiming to provide full schedulable PDF reporting capabilities to LogScale.

      For more information, see Exporting Dashboards as PDF.

    • The new Gauge widget is introduced: it allows you to represent values on a fixed scale, offering a visual and intuitive way to monitor key performance metrics.

      For more information, see Gauge Widget.

Bug Fixes

  • UI Changes

    • Time Selector and date picker in the Time Interval panel have been fixed for issues related to daylight savings time.

    • Queries could "flicker" for a short period causing "negative alerts" to trigger for no reason (negative alerts are alerts that check for the absence of events). This issue has been fixed.

  • Automation and Alerts

    • Notifications on problems with Filter Alerts where not automatically removed when the problem was solved. This issue is now fixed.

  • GraphQL API

    • When trying to delete an Alert, Scheduled Search or Dashboard using a mutation for one of the other types, it would end up in a state where it was not deleted, but could not run either. This issue is now fixed.

  • Other

    • A minor logging issue has been fixed: ClusterHostAliveStats would log that hosts were "changed from being considered dead to alive" on hosts that had just rebooted, when such hosts actually consider all other nodes alive for a little while, to allow the booting node some time to hear heartbeats from others.

  • Packages

    • The alert types in Package Marketplace were showing twice — this is now fixed so it properly shows one type as expected.