Falcon LogScale 1.152.0 Preview (2024-08-20)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | JDK Compatibility? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.152.0 | Preview | 2024-08-20 | Cloud | Next Stable | No | 1.112 | 21-22 | No |
Bug fixes and updates.
Removed
Items that have been removed as of this release.
Configuration
The obsolete configuration parameters
AUTOSHARDING_TRIGGER_DELAY_MSandAUTOSHARDING_CHECKINTERVAL_MShave been removed due to autosharding being handled by rate monitoring and not by ingest delay anymore.
Deprecation
Items that have been deprecated and may be removed in a future release.
The
server.tar.gzrelease artifact has been deprecated. Users should switch to theOS/architecture-specific server-linux_x64.tar.gzorserver-alpine_x64.tar.gz, which include bundled JDKs. Users installing a Docker image do not need to make any changes. With this change, LogScale will no longer support bringing your own JDK, we will bundle one with releases instead.We are making this change for the following reasons:
By bundling a JDK specifically for LogScale, we can customize the JDK to contain only the functionality needed by LogScale. This is a benefit from a security perspective, and also reduces the size of release artifacts.
Bundling the JDK ensures that the JDK version in use is one we've tested with, which makes it more likely a customer install will perform similar to our own internal setups.
By bundling the JDK, we will only need to support one JDK version. This means we can take advantage of enhanced JDK features sooner, such as specific performance improvements, which benefits everyone.
The last release where
server.tar.gz artifactis included will be 1.154.0.The
HUMIO_JVM_ARGSenvironment variable in the LogScale Launcher Script script will be removed in 1.154.0.The variable existed for migration from older deployments where the launcher script was not available. The launcher script replaces the need for manually setting parameters in this variable, so the use of this variable is no longer required. Using the launcher script is now the recommended method of launching LogScale. For more details on the launcher script, see LogScale Launcher Script. Clusters that still set this configuration should migrate to the other variables described at Override garbage collection configuration within the launcher script.
The lastScheduledSearch field from the
ScheduledSearchdatatype is now deprecated and planned for removal in LogScale version 1.202. The new lastExecuted and lastTriggered fields have been added to theScheduledSearchdatatype to replace lastScheduledSearch.
New features and improvements
UI Changes
In Organization settings, layout changes have been made to the
Groupspage for viewing and updating repository and view permissions on a group.
GraphQL API
The stopStreamingQueries() GraphQL mutation is no longer in preview.
Configuration
The default
retention.byteshas been modified for global topic from 1 GB to 20 GB. This is applied only when the topic is being created by LogScale initially. For existing clusters you should raise retention on the global topic so that it has room for at least a few hours of flow. This is only relevant for large clusters, as small clusters do not produce enough to exceed 1 GB per few hours. It is ideal to have room for at least 1 day in the global topic for better resilience against large spikes in traffic combined with losing global snapshot files.
Fixed in this release
UI Changes
The
Query Monitorpage would show queries running on @ingesttimestamp as running on a search interval over all time. This wrong behavior has been fixed to show the correct search interval.
Automation and Alerts
Scheduled Searches would not always log if runs were skipped due to being behind. This issue has been fixed now.
Fixed an issue where queries that were failing would never complete. This could cause Alerts and Scheduled Searches to hang.
Dashboards and Widgets
The
Tablewidget has been fixed due to its header appearing transparent.
Improvement
Automation and Alerts
The field
useProxyOptionhas been added to Webhooks action templates to be consistent with the other action templates.The log field
previouslyPlannedForExecutionAthas been renamed toearliestSkippedPlannedExecutionwhen skipping scheduled search executions.The severity of a number of alert and scheduled search logs has been changed to better reflect the severity for users.
Ingestion
The Split by AWS records preprocessing when Set up a New Ingest Feed now requires the
Recordsarray. This better protects against a situation where mistakenly using this preprocessing step with non-AWS records would interpret the files as empty batches of events, leading notifications in SQS to be deleted without ingesting any events.