Falcon LogScale 1.152.0 GA (2024-08-20)
Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Config. Changes? |
---|---|---|---|---|---|---|---|
1.152.0 | GA | 2024-08-20 | Cloud | 2025-09-30 | No | 1.112 | No |
Bug fixes and updates.
Removed
Items that have been removed as of this release.
Configuration
The obsolete configuration parameters
AUTOSHARDING_TRIGGER_DELAY_MS
andAUTOSHARDING_CHECKINTERVAL_MS
have been removed due to autosharding being handled by rate monitoring and not by ingest delay anymore.
Deprecation
Items that have been deprecated and may be removed in a future release.
The
server.tar.gz
release artifact has been deprecated. Users should switch to theOS/architecture-specific server-linux_x64.tar.gz
orserver-alpine_x64.tar.gz
, which include bundled JDKs. Users installing a Docker image do not need to make any changes. With this change, LogScale will no longer support bringing your own JDK, we will bundle one with releases instead.We are making this change for the following reasons:
By bundling a JDK specifically for LogScale, we can customize the JDK to contain only the functionality needed by LogScale. This is a benefit from a security perspective, and also reduces the size of release artifacts.
Bundling the JDK ensures that the JDK version in use is one we've tested with, which makes it more likely a customer install will perform similar to our own internal setups.
By bundling the JDK, we will only need to support one JDK version. This means we can take advantage of enhanced JDK features sooner, such as specific performance improvements, which benefits everyone.
The last release where
server.tar.gz artifact
is included will be 1.154.0.The
HUMIO_JVM_ARGS
environment variable in the LogScale Launcher Script script will be removed in 1.154.0.The variable existed for migration from older deployments where the launcher script was not available. The launcher script replaces the need for manually setting parameters in this variable, so the use of this variable is no longer required. Using the launcher script is now the recommended method of launching LogScale. For more details on the launcher script, see LogScale Launcher Script. Clusters that still set this configuration should migrate to the other variables described at Override garbage collection configuration within the launcher script.
The lastScheduledSearch field from the
ScheduledSearch
datatype is now deprecated and planned for removal in LogScale version 1.202. The new lastExecuted and lastTriggered fields have been added to theScheduledSearch
datatype to replace lastScheduledSearch.
Behavior Changes
Scripts or environment which make use of these tools should be checked and updated for the new configuration:
Functions
Prior to LogScale v1.147, the
array:length()
function accepted a value in thearray
argument that did not contain brackets[ ]
so thatarray:length("field")
would always produce the result0
(since there was no field named field). The function has now been updated to properly throw an exception if given a non-array field name in thearray
argument. Therefore, the function now requires the given array name to have[ ]
brackets, since it only works on array fields.
New features and improvements
UI Changes
In Organization settings, layout changes have been made to the
Groups
page for viewing and updating repository and view permissions on a group.
GraphQL API
The stopStreamingQueries() GraphQL mutation is no longer in preview.
Configuration
The default
retention.bytes
has been modified for global topic from 1 GB to 20 GB. This is applied only when the topic is being created by LogScale initially. For existing clusters you should raise retention on the global topic so that it has room for at least a few hours of flow. This is only relevant for large clusters, as small clusters do not produce enough to exceed 1 GB per few hours. It is ideal to have room for at least 1 day in the global topic for better resilience against large spikes in traffic combined with losing global snapshot files.
Fixed in this release
UI Changes
The
Query Monitor
page would show queries running on @ingesttimestamp as running on a search interval over all time. This wrong behavior has been fixed to show the correct search interval.
Automation and Alerts
Fixed an issue where queries that were failing would never complete. This could cause Alerts and Scheduled Searches to hang.
Scheduled Searches would not always log if runs were skipped due to being behind. This issue has been fixed now.
Dashboards and Widgets
The
Table
widget has been fixed due to its header appearing transparent.
Known Issues
Queries
Improvement
Automation and Alerts
The log field
previouslyPlannedForExecutionAt
has been renamed toearliestSkippedPlannedExecution
when skipping scheduled search executions.The field
useProxyOption
has been added to Webhooks action templates to be consistent with the other action templates.The severity of a number of alert and scheduled search logs has been changed to better reflect the severity for users.
Ingestion
The Split by AWS records preprocessing when Set up a New Ingest Feed now requires the
Records
array. This better protects against a situation where mistakenly using this preprocessing step with non-AWS records would interpret the files as empty batches of events, leading notifications in SQS to be deleted without ingesting any events.