Falcon LogScale 1.142.4 LTS (2024-12-17)
Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Config. Changes? |
---|---|---|---|---|---|---|---|
1.142.4 | LTS | 2024-12-17 | Cloud | 2025-07-31 | No | 1.112 | No |
Hide file hashes
TAR Checksum | Value |
---|---|
MD5 | 46e03b9a1ede2060d3c8bf9a25b911f6 |
SHA1 | 886af9087b98b610c920f83febce4c63c8d88c5d |
SHA256 | b291f2475cddd3dc725c4ee3eb8de07358ed6ce419ae80a0d7be601f54af3b1f |
SHA512 | 5099f6aa1db5bd7b07fe4e9d4b9896066e79a107bf7137915b8366e1f3507e1023722dc726f64ab227df0d9a12870291ff8effa11ebc42787a4cebf545d09a70 |
Docker Image | Included JDK | SHA256 Checksum |
---|---|---|
humio | 22 | 03744c0915c08858e830b97cd378ae4ff99aadbcf48a04577be980fc1566c199 |
humio-core | 22 | 56c3c63c56bc1326f98712d0e2ea989352dc555684d8e6ec55694c0c18ad6aa7 |
kafka | 22 | e42e0305c854d26a4adc09b26bbf77bb1383e56afe93005975efbf8756c09996 |
zookeeper | 22 | 32114da378502a98f093bf21dfb1d2e435916a654e86ac0e92ac1ea383757b3a |
Download
These notes include entries from the following previous releases: 1.142.1, 1.142.3
Bug fixes and updates.
Breaking Changes
The following items create a breaking change in the behavior, response or operation of this release.
Functions
The
limit
parameter has been added to therdns()
function. It is controlled by dynamic configurationsRdnsMaxLimit
andRdnsDefaultLimit
. This is a breaking change addition due to incidents caused by the large implicit limit used before.For more information, see
rdns()
.
Advance Warning
The following items are due to change in a future release.
Installation and Deployment
The LogScale Launcher Script script for starting LogScale will be modified to change the way CPU core usage can be configured. The
-XX:ActiveProcessorCount=n
command-line option will be ignored if set. Users that need to configure the core count manually should setCORES=n
environment variable instead. This will cause the launcher to configure both LogScale and the JVM properly.This change is scheduled for 1.148.0.
For more information, see Configuring Available CPU Cores.
Deprecation
Items that have been deprecated and may be removed in a future release.
The following API endpoints are deprecated and marked for removal in 1.148.0:
POST
/api/v1/clusterconfig/kafka-queues/partition-assignment
GET
/api/v1/clusterconfig/kafka-queues/partition-assignment
POST
/api/v1/clusterconfig/kafka-queues/partition-assignment/set-replication-defaults
The deprecated methods are used for viewing and changing the partition assignment in Kafka for the ingest queue. Administrators should use Kafka's own tools for editing partition assignments instead, such as the bin/kafka-reassign-partitions.sh and bin/kafka-topics.sh scripts that ship with the Kafka install.
The
server.tar.gz
release artifact has been deprecated. Users should switch to theOS/architecture-specific server-linux_x64.tar.gz
orserver-alpine_x64.tar.gz
, which include bundled JDKs. Users installing a Docker image do not need to make any changes. With this change, LogScale will no longer support bringing your own JDK, we will bundle one with releases instead.We are making this change for the following reasons:
By bundling a JDK specifically for LogScale, we can customize the JDK to contain only the functionality needed by LogScale. This is a benefit from a security perspective, and also reduces the size of release artifacts.
Bundling the JDK ensures that the JDK version in use is one we've tested with, which makes it more likely a customer install will perform similar to our own internal setups.
By bundling the JDK, we will only need to support one JDK version. This means we can take advantage of enhanced JDK features sooner, such as specific performance improvements, which benefits everyone.
The last release where
server.tar.gz artifact
is included will be 1.154.0.We are deprecating the
humio/kafka
andhumio/zookeeper
Docker images due to low use. The planned final release for these images will be with LogScale 1.148.0.Better alternatives are available going forward. We recommend the following:
If you still require
humio/kafka
orhumio/zookeeper
for needs that cannot be covered by these alternatives, please contact Support and share your concerns.The
HUMIO_JVM_ARGS
environment variable in the LogScale Launcher Script script will be removed in 1.154.0.The variable existed for migration from older deployments where the launcher script was not available. The launcher script replaces the need for manually setting parameters in this variable, so the use of this variable is no longer required. Using the launcher script is now the recommended method of launching LogScale. For more details on the launcher script, see LogScale Launcher Script. Clusters that still set this configuration should migrate to the other variables described at Configuration.
Behavior Changes
Scripts or environment which make use of these tools should be checked and updated for the new configuration:
API
It is no longer possible to revive a query by polling it after it has been stopped.
For more information, see Running Query Jobs.
Other
LogScale deletes
humiotmp
directories when gracefully shut down, but this can causetmp
directories to leak if LogScale crashes. LogScale now also deletes these directories on startup.
Upgrades
Changes that may occur or be required during an upgrade.
Installation and Deployment
The bundled JDK is upgraded to 22.0.2.
The Kafka client has been upgraded to 3.7.0. The Kafka server version in the deprecated humio/kafka Docker image is also upgraded to 3.7.0.
Bundled JDK upgraded to 22.0.1.
The JDK has been upgraded to 23.0.1
New features and improvements
Installation and Deployment
Changing the
NODE_ROLES
of a host is now forbidden. A host will now crash if the role it is configured to have doesn't match what is listed in global for that host. People wishing to change the role of a host in a cluster should instead remove that host from the cluster by unregistering it, wipe the data directory of the host, and boot the node back into the cluster as if it were a completely new node. The node will be assigned a new vhost identifier when doing this.Unused modules have been removed from the JDK bundled with LogScale releases, thus reducing the size of release artifacts.
UI Changes
Time zone data has been updated to IANA 2024a and has been trimmed to +/- 5 years from the release date of IANA 2024a.
Layout changes have been made in the
Connections
UI page.For more information, see Connections.
The maximum limit for saved query names has been set to 200 characters.
The warnings for numbers out of the browser's safe number range have been slightly modified.
For more information, see Troubleshooting: UI Warning: The actual value is different from what is displayed.
A new Event List. It formats all fields in the event in key-value pairs by grouping a field list by prefix.
column type has been added in theFor more information, see Column Properties.
Automation and Alerts
Scheduled Reports can now be created. Scheduled Reports generate reports directly from dashboards and send them to the selected email addresses on a regular schedule.
For more information, see Scheduled PDF Reports.
Two new GraphQL fields have been added in the
ScheduledSearch
datatype:lastExecuted will hold the timestamp of the end of the search interval on the last scheduled search run.
lastTriggered will hold the timestamp of the end of the search interval on the last scheduled search run that found results and triggered actions.
These two new fields are now also displayed in the
Scheduled Searches
user interface.For more information, see Last Executed and Last Triggered Scheduled Search.
GraphQL API
A new unsetDynamicConfig GraphQL mutation is introduced to unset dynamic configurations.
Added a new GraphQL API generateParserFromTemplate() for decoding a parser YAML template without installing it.
API
Upgrade to the latest Jakarta Mail API to prevent a warning message from being logged about a missing mail configuration file.
Information about files used in a query is now added to the query result returned by the API.
Configuration
The
EXACT_MATCH_LIMIT
configuration has been removed. It is no longer needed, since files are limited by size instead of rows.When
UNSAFE_RELAX_MULTI_CLUSTER_PROTOCOL_VERSION_CHECK
is set to ensure Multi-Cluster Compatibility Across Versions, attempting to search in clusters older than version 1.131.2 is not allowed and a UI message will now be displayed.A new
QueryBacktrackingLimit
dynamic configuration is available through GraphQL as experimental. It allows to limit a query iterating over individual events too many times (which may happen with an excessive use ofcopyEvent()
,join()
andsplit()
functions, orregex()
with repeat-flags). The default for this limit is 3,000 and can be modified with the dynamic configuration. At present, the feature flag sets this limit off by default.
Ingestion
Self-hosted only: derived tags (like
#repo
) are now included when executing Event Forwarding Rules. These fields will be included in the forwarded events unless filtered byselect()
ordrop(#repo)
in the rule.Audit logs related to Event Forwarders no longer include the properties of the event forwarder.
Event forwarder disablement is now audit logged with type disable instead of enable.
The parser assertions can now be written and loaded to YAML files, using the V3 parser format.
Dashboards and Widgets
A parameter panel widget type has been added to allow users to drag parameters from the top panel and into these panels. Also, a parameter
width
is now adjustable in the settings.For more information, see Parameter Panel Widget.
Log Collector
Fleet Management now supports ephemeral hosts. If a collector is enrolled with the parameter
--ephemeralTimeout
, after being offline for the specified duration in hours it will disappear from theFleet Overview
interface and be unenrolled. The feature requires LogScale Collector version 1.7.0 or above.Live and Historic options for
Fleet Overview
are introduced. When Live, the overview will show online collectors and continuously be updated with e.g. new CPU metrics or status changes. The Historic view will display all records of collectors for the last 30 days. In this case the overview will not be updated with new information.For more information, see Switching between Live and Historic overview.
Functions
The
onlyTrue
parameter has been added to thebitfield:extractFlags()
query function, it allows to output only flags whose value istrue
.For more information, see
bitfield:extractFlags()
.array:filter
has been fixed as performing a filter test on an array field outputted from this function would sometimes lead to no results.The query editor now gives warnings about certain regex constructs that are valid but suboptimal. Specifically, quantified wildcards in the beginning or end of an (unanchored) regex.
Multi-valued arguments can now be passed to a saved query.
For more information, see User Functions (Saved Searches).
Other
A new metric
max_ingest_delay
is introduced to keep track of the current maximum ingest delay across all Kafka partitions.Two new metrics have been introduced:
internal-throttled-poll-rate
keeps track of the number of times polling workers during query execution was throttled due to rate limiting.internal-throttled-poll-wait-time
keeps track of maximum delays per poll round due to rate limiting.
Fixed in this release
Storage
Taking nodes offline in a cluster that does not use bucket storage could prevent cleanup of mini-segments associated with merge targets owned by the offline nodes, causing global to grow. To solve this, the cluster now moves merge targets that have not yet achieved full replication to follow digest nodes.
The Did not query segment error spuriously appearing when the cluster performs digest reassignment has now been fixed.
The file synchronization job would stop if upload to bucket storage fails. This issue has been fixed.
Dashboards and Widgets
Shared dashboards created on the special humio-search-all view wouldn't load correctly. This issue has now been fixed.
The execution of dashboard parameter queries has been changed to only run as live when the dashboard itself is live.
Dragging a parameter to an empty Parameter Panel Widget would sometimes not move the parameter. This issue has been fixed.
Functions
The query editor has been fixed as field auto-completions would sometimes not be suggested.
The query editor would mark the entire query as erroneous when
count()
was given withdistinct=true
parameter but missing an argument for thefield
parameter. This issue has been fixed.Live queries using Field Aliasing on a repository with Tag Groupings enabled could fail. This issue has now been fixed.
The
time:xxx()
functions have been fixed as they did not correctly use the query's time zone as default. The offset was applied in an opposite manner, such that for example GMT+2 was applied as GMT-2. This has now been fixed.
Other
A regression introduced in version 1.132 has been fixed, where a file name starting with
shared/
would be recognized as a shared file instead of a regular file. However, a shared file should be referred to using exactly/shared/
as a prefix.Fixing a very rare edge case that could cause creation of malformed entities in global when a nested entity — such as a datasource — was deleted.
Improvement
UI Changes
When a saved query is used, the query editor will display the query string when hovering over it.
Storage
Logging improvements have been made around bucket uploads to assist with troubleshooting slow uploads, which are only seen in clusters with very large data sets.
Packages
Validate that there are no duplicate names used for each package template type during package installations (for example you cannot use the same name for multiple parsers that are part of the same package).