Falcon LogScale 1.113.0 GA (2023-11-09)
Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Config. Changes? |
---|---|---|---|---|---|---|---|
1.113.0 | GA | 2023-11-09 | Cloud | 2025-01-31 | No | 1.70.0 | No |
Bug fixes and updates.
Breaking Changes
The following items create a breaking change in the behavior, response or operation of this release.
Functions
The new parameter
unit
is added toformatTime()
to specify whether the input field is in seconds or milliseconds, or if it should be auto-detected by the system.This is a breaking change: if you want to ensure fully backward-compatible behavior, set
unit=milliseconds
.For more information, see
formatTime()
.
Advance Warning
The following items are due to change in a future release.
Installation and Deployment
We intend to drop support for Java 17, making Java 21 the minimum. We plan to make this change in March 2024.
Behavior Changes
Scripts or environment which make use of these tools should be checked and updated for the new configuration:
Automation and Alerts
We have changed how Scheduled Searches handle query warnings, similar to what was done for Standard Alerts (see Falcon LogScale 1.112.0 GA (2023-10-24)). Previously, LogScale only triggered Scheduled Searches if there were no query warnings. Now, scheduled searches will trigger despite most query warnings, and the scheduled search status will show a warning instead of an error.
For query warnings about missing data, either due to ingest delay or some existing data that is currently unavailable, the scheduled search will retry for up to 10 minutes by default. This waiting time is configurable, see
SCHEDULED_SEARCH_MAX_WAIT_FOR_MISSING_DATA
for more information.Up until now, all query warnings were treated as errors: the scheduled search did not trigger even though it produced results, and the scheduled search was shown with an error in LogScale. Most query warnings meant that not all data was queried. The previous behaviour prevented the scheduled search from triggering in cases where it would not have, if all data had been available. For instance, a scheduled search that would trigger if a count of events dropped below a threshold. On the other hand, it made some scheduled searches not trigger, even though they would still have if all data was available. That meant that previously you would almost never have a scheduled search trigger when it should not, but you would sometimes have a scheduled search not trigger, when it should have. We have reverted this behavior.
With this change, we no longer recommend to set the configuration option
SCHEDULED_SEARCH_DESPITE_WARNINGS
totrue
, since it treats all query warnings as non-errors, and there are a few query warnings that should make the scheduled search fail.
New features and improvements
UI Changes
Lookup Files require unique column headers to work as expected, which was previously validated when attempting to use the file. You could still install an invalid file into LogScale however, but now lookup files with duplicate header names are also blocked from being installed.
Automation and Alerts
When clearing errors on alerts or scheduled searches, all notifications about the problem are now automatically deleted right when the error is cleared. Previously, notifications were only updated every 15 minutes. Note, that if the error returns, a new notification will be created.
GraphQL API
The redactEvents() mutation will no longer be allowed for users who have a limiting query prefix.
Configuration
Added validation for
LOCAL_STORAGE_PERCENTAGE
configuration against thetargetDiskUsagePercentage
, that might be set on runtime, to enforce that theLOCAL_STORAGE_PERCENTAGE
variable is at least 5 percentage points larger thantargetDiskUsagePercentage
. Nodes that are violating this constraint will not be able to start. In addition, the setTargetDiskUsagePercentage mutation will not allow violating the constraint.
Dashboards and Widgets
Table
widget.
Ingestion
When navigating between parser test cases, the table showing the outputs for the test case will now scroll to the top when you select a new test case.
Functions
The new query function
duration()
is introduced: it can be helpful in computations involving timestamps.The new query function
parseUri()
is introduced to support parsing of URIs without a scheme.The new query function
if()
is introduced to compute one of two expressions depending on the outcome of a test.
Fixed in this release
UI Changes
The page for creating repository or view tokens would fail to load if the user didn't have a
Change IP filters
Organization settings permission.
Automation and Alerts
If a filter alert, standard alert or scheduled search was assigned to run on another node in the cluster, due to changes to the available cluster nodes, they would be wrongly marked as failing with an error like The alert is broken. Save the alert again to fix it and an error log. This issue is now fixed.
Ingestion
Parser timeout errors on ingested events that would occur at shutdown have now been fixed.
Functions
cidr()
query function would fail to find some events when parameternegate=true
was set. This incorrect behavior has now been fixed.