Falcon LogScale 1.113.0 Preview (2023-11-09)

VersionTypeRelease DateAvailabilityEnd of SupportSecurity UpdatesUpgrades FromJDK CompatibilityReq. Data MigrationConfig. Changes
1.113.0Preview2023-11-09Cloud, On-Prem2025-01-17No1.70.017NoNo

Bug fixes and updates.

Breaking Changes

The following items create a breaking change in the behavior, response or operation of this release.

  • Functions

    • The new parameter unit is added to formatTime() to specify whether the input field is in seconds or milliseconds, or if it should be auto-detected by the system.

      This is a breaking change: if you want to ensure fully backward-compatible behavior, set unit=milliseconds.

      For more information, see formatTime().

Behavior Changes

Scripts or environment which make use of these tools should be checked and updated for the new configuration:

  • Automation and Alerts

    • We have changed how Scheduled Searches handle query warnings, similar to what was done for Standard Alerts (see Falcon LogScale 1.112.0 Preview (2023-10-24)). Previously, LogScale only triggered Scheduled Searches if there were no query warnings. Now, scheduled searches will trigger despite most query warnings, and the scheduled search status will show a warning instead of an error.

      For query warnings about missing data, either due to ingest delay or some existing data that is currently unavailable, the scheduled search will retry for up to 10 minutes by default. This waiting time is configurable, see SCHEDULED_SEARCH_MAX_WAIT_FOR_MISSING_DATA for more information.

      Up until now, all query warnings were treated as errors: the scheduled search did not trigger even though it produced results, and the scheduled search was shown with an error in LogScale. Most query warnings meant that not all data was queried. The previous behaviour prevented the scheduled search from triggering in cases where it would not have, if all data had been available. For instance, a scheduled search that would trigger if a count of events dropped below a threshold. On the other hand, it made some scheduled searches not trigger, even though they would still have if all data was available. That meant that previously you would almost never have a scheduled search trigger when it should not, but you would sometimes have a scheduled search not trigger, when it should have. We have reverted this behavior.

      With this change, we no longer recommend to set the configuration option SCHEDULED_SEARCH_DESPITE_WARNINGS to true, since it treats all query warnings as non-errors, and there are a few query warnings that should make the scheduled search fail.

Improvements, new features and functionality

  • UI Changes

    • Lookup Files require unique column headers to work as expected, which was previously validated when attempting to use the file. You could still install an invalid file into LogScale however, but now lookup files with duplicate header names are also blocked from being installed.

  • Automation and Alerts

    • When clearing errors on alerts or scheduled searches, all notifications about the problem are now automatically deleted right when the error is cleared. Previously, notifications were only updated every 15 minutes. Note, that if the error returns, a new notification will be created.

  • GraphQL API

    • The redactEvents() mutation will no longer be allowed for users who have a limiting query prefix.

  • Configuration

    • Added validation for LOCAL_STORAGE_PERCENTAGE configuration against the targetDiskUsagePercentage, that might be set on runtime, to enforce that the LOCAL_STORAGE_PERCENTAGE variable is at least 5 percentage points larger than targetDiskUsagePercentage. Nodes that are violating this constraint will not be able to start. In addition, the setTargetDiskUsagePercentage mutation will not allow violating the constraint.

  • Ingestion

    • When navigating between parser test cases, the table showing the outputs for the test case will now scroll to the top when you select a new test case.

  • Dashboards and Widgets

    • Show thousands separator has been added as a configuration option of format Number for the Table widget.

  • Functions

    • The new query function if() is introduced to compute one of two expressions depending on the outcome of a test.

    • The new query function parseUri() is introduced to support parsing of URIs without a scheme.

    • The new query function duration() is introduced: it can be helpful in computations involving timestamps.

Bug Fixes

  • UI Changes

    • The page for creating repository or view tokens would fail to load if the user didn't have a Change IP filters Organization settings permission.

  • Automation and Alerts

    • If a filter alert, standard alert or scheduled search was assigned to run on another node in the cluster, due to changes to the available cluster nodes, they would be wrongly marked as failing with an error like The alert is broken. Save the alert again to fix it and an error log. This issue is now fixed.

  • Ingestion

    • Parser timeout errors on ingested events that would occur at shutdown have now been fixed.

  • Functions

    • cidr() query function would fail to find some events when parameter negate=true was set. This incorrect behavior has now been fixed.