Falcon LogScale 1.150.0 GA (2024-08-06)

Version?Type?Release Date?Availability?End of Support

Security

Updates

Upgrades

From?

Config.

Changes?
1.150.0GA2024-08-06

Cloud

2025-09-30No1.112No

Bug fixes and updates.

Deprecation

Items that have been deprecated and may be removed in a future release.

  • The server.tar.gz release artifact has been deprecated. Users should switch to the OS/architecture-specific server-linux_x64.tar.gz or server-alpine_x64.tar.gz, which include bundled JDKs. Users installing a Docker image do not need to make any changes. With this change, LogScale will no longer support bringing your own JDK, we will bundle one with releases instead.

    We are making this change for the following reasons:

    • By bundling a JDK specifically for LogScale, we can customize the JDK to contain only the functionality needed by LogScale. This is a benefit from a security perspective, and also reduces the size of release artifacts.

    • Bundling the JDK ensures that the JDK version in use is one we've tested with, which makes it more likely a customer install will perform similar to our own internal setups.

    • By bundling the JDK, we will only need to support one JDK version. This means we can take advantage of enhanced JDK features sooner, such as specific performance improvements, which benefits everyone.

    The last release where server.tar.gz artifact is included will be 1.154.0.

  • The HUMIO_JVM_ARGS environment variable in the LogScale Launcher Script script will be removed in 1.154.0.

    The variable existed for migration from older deployments where the launcher script was not available. The launcher script replaces the need for manually setting parameters in this variable, so the use of this variable is no longer required. Using the launcher script is now the recommended method of launching LogScale. For more details on the launcher script, see LogScale Launcher Script. Clusters that still set this configuration should migrate to the other variables described at Override garbage collection configuration within the launcher script.

  • The lastScheduledSearch field from the ScheduledSearch datatype is now deprecated and planned for removal in LogScale version 1.202. The new lastExecuted and lastTriggered fields have been added to the ScheduledSearch datatype to replace lastScheduledSearch.

Behavior Changes

Scripts or environment which make use of these tools should be checked and updated for the new configuration:

  • Functions

    • Prior to LogScale v1.147, the array:length() function accepted a value in the array argument that did not contain brackets [ ] so that array:length("field") would always produce the result 0 (since there was no field named field). The function has now been updated to properly throw an exception if given a non-array field name in the array argument. Therefore, the function now requires the given array name to have [ ] brackets, since it only works on array fields.

New features and improvements

  • Installation and Deployment

    • The Docker containers have been configured to use the following environment variable values internally: DIRECTORY=/data/humio-data HUMIO_AUDITLOG_DIR=/data/logs HUMIO_DEBUGLOG_DIR=/data/logs JVM_LOG_DIR=/data/logs JVM_TMP_DIR=/data/humio-data/jvm-tmp This configuration replaces the following chains of internal symlinks, which have been removed: /app/humio/humio/humio-data -> /app/humio/humio-data /app/humio/humio-data -> /data/humio-data /app/humio/humio/logs -> /app/humio/logs /app/humio/logs -> /data/logs This change is intended for allowing the tool scripts in /app/humio/humio/bin to work correctly, as they were previously failing due to the presence of dangling symlinks when invoked via docker run if nothing was mounted at /data.

  • UI Changes

    • Sections can now be created inside dashboards, allowing for grouping relevant content together to maintain a clean and organized layout, making it easier for users to find and analyze related information. Sections can contain data visualizations as well as Parameter Panels. Additionally, they offer more flexibility when using the Time Selector, enabling users to apply a time setting across multiple widgets.

      For more information, see Sections.

    • An organization administrator can now update a user's role on a repository or view from the Users page.

      For more information, see Manage User Roles.

  • Automation and Alerts

  • Storage

    • Support is implemented for returning a result over 1GB in size on the queryjobs endpoint. There is now a limit on the size of 8GB of the returned result. The limits on state sizes for queries remain unaltered, so the effect of this change is that some queries that previously failed returning their results due to reaching 1GB, even though the query completed, now work.

  • Functions

    • Matching on multiple rows with the match() query function is now supported. This functionality allows match() to emit multiple events, one for each matching row. The nrows parameter is used to specify the maximum number of rows to match on.

      For more information, see match().

Fixed in this release

  • Falcon Data Replicator

    • Testing new FDR feeds using s3 aliasing would fail for valid credentials. This issue has now been fixed.

  • UI Changes

    • The Organizations overview page has been fixed as the Volume column width within a specific organization could not be adjusted.

    • The display of Lookup Files metadata in the file editor for very long user names has now been fixed.

  • Storage

    • Throttling for bucket uploads/downloads could cause unintentionally harsh throttling of downloads in favor of running more uploads concurrently. This issue has now been fixed.

    • The throttling for segment rebalancing has been reworked, which should help rebalancing keep up without overwhelming the cluster.

Known Issues

  • Queries

    • A known issue in the implementation of the match() function when using cidr option in the mode parameter, could cause a reduction in performance for the query, and block other queries from executing.