Falcon LogScale 1.159.0 GA (2024-10-08)
Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Config. Changes? |
---|---|---|---|---|---|---|---|
1.159.0 | GA | 2024-10-08 | Cloud | 2025-10-31 | No | 1.112 | No |
Available for download two days after release.
Bug fixes and updates.
Deprecation
Items that have been deprecated and may be removed in a future release.
The lastScheduledSearch field from the
ScheduledSearch
datatype is now deprecated and planned for removal in LogScale version 1.202. The new lastExecuted and lastTriggered fields have been added to theScheduledSearch
datatype to replace lastScheduledSearch.
Behavior Changes
Scripts or environment which make use of these tools should be checked and updated for the new configuration:
Ingestion
Falcon LogScale now improves decision-making around which segments a digest leader fetches as part of taking over leadership. This should reduce the incidence of small bits of data being replayed from Kafka unnecessarily, and may also reduce how often reassignment will trigger a restart of live queries.
For more information, see Ingestion: Digest Phase.
New features and improvements
Security
For multiple configured SAML IdP certificates, Falcon LogScale now enforces that at least one of them is valid and not expired. This prevents login failures that have occurred due to the expiration of one of the certificates.
For more information, see Certificate Rotation.
Purpose of the
repository&view
permissionChangeTriggers
has changed: it is now intended for creating, deleting and updating alerts and scheduled searches. This permission is no longer needed to view alerts and scheduled searches in read-only mode from theAlerts
page: instead, theReadAccess
permission is required for that.Creating roles that have an empty set of permissions is now supported in the
role-permissions.json file
file. To allow this, add the following line to the file:JAVASCRIPT"options": { "allowRolesWithNoPermissions": true }
This ensures compatibility when migrating from previous
view-group-permissions.json
file, should this contain roles without permissions.For more information, see Setting up Roles in a File.
Configuration
Kafka resets described at Switching Kafka do no longer occur by default. In order to provide safeguard against accidental misconfiguration, the
ALLOW_KAFKA_RESET_UNTIL_TIMESTAMP_MS
environment variable has been added, which per default ensures that Kafka resets are not allowed. With this variable unset, accidental Kafka resets are avoided until an administrator assents to having a Kafka reset performed.To intentionally perform a Kafka reset, administrators should set
ALLOW_KAFKA_RESET_UNTIL_TIMESTAMP_MS
to an epoch timestamp in near future (for instance now + one hour), which will make sure that the setting is automatically disabled again once the reset is complete.For more information, see
ALLOW_KAFKA_RESET_UNTIL_TIMESTAMP_MS
.
Queries
Nested repetitions/quantifiers in the Falcon LogScale Regular Expression Engine v2 are now supported. Nested repetitions are constructions that repeat or quantify another regex expression that contains repetition/quantification. For instance, the regex:
/(?<ipv4>(?:\d{1,3}\.){3}\d{1,3})/
makes use of nested repetitions, namely:
(?:\d{1,3}\.){3}
For more information, see LogScale Regular Expression Engine V2.
Introducing a regex backtracking limit of 0,5 seconds pr. input for the Falcon LogScale Regex Engine v2. As soon as the regex starts backtracking to find matches, it is timed and cancelled if the backtracking to find a match exceeds 0.5 seconds. This is done to avoid instances of practically infinite backtracking, as can be the case with some regexes.
For more information, see LogScale Regular Expression Engine V2.
Under the hood changes to how the size of certain events is estimated should now make query state size estimates more realistic.
Functions
Introducing the new query function
coalesce()
. This function accepts a list of fields and returns the first value that is not null or empty. Empty values can also be returned by setting a parameter in the function.For more information, see
coalesce()
.Introducing the new query function
array:drop()
. This function drops all consecutive fields of a given array, starting from index 0.For more information, see
array:drop()
.
Fixed in this release
Queries
Building tables for a query would block other tables from being built due to an internal cache implementation behaviour, which has now been fixed.
Early Access
Security
It is now possible to map one IdP group name to multiple Falcon LogScale groups during group synchronization. Activate the
OneToManyGroupSynchronization
feature flag for this functionality. With the feature flag enabled, Falcon LogScale will map a group name to all Falcon LogScale groups in the organization that have a matchinglookupName
ordisplayName
, while also performing validation for identical groups. If the multiple mapping feature is not enabled, the existing one-to-one mapping functionality remains unchanged.For more information on how feature flags are enabled, see Enabling & Disabling Feature Flags.
For more information, see Group Synchronization.