Falcon LogScale 1.169.0 GA (2024-12-17)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Config. Changes? |
|---|---|---|---|---|---|---|---|
| 1.169.0 | GA | 2024-12-17 | Cloud | Next LTS | No | 1.136 | No |
Available for download two days after release.
Bug fixes and updates.
Breaking Changes
The following items create a breaking change in the behavior, response or operation of this release.
GraphQL API
The new parameter strict has been added to the input of analyzeQuery() GraphQL query. When set to default value
true, query validation will always validate uses of saved query and query parameter. When set tofalse, it will attempt to ignore validation of saved query and query parameter uses. This is a breaking change because previously, validation would behave as if strict was set tofalse. To achieve legacy behavior, setstrict=false.Storage
There is a change to the archiving logic so that LogScale no longer splits a given segment into multiple bucket objects based on ungrouped tag combinations in the segment. Tag groups were introduced to limit the number of datasources if a given tag had too many different values. But the current implementation of archiving splits the different tag combinations contained in a given segment back out into one bucket per tag combination, which is a scalability issue, and can also affect mini-segment merging. The new approach just uploads into one object per segment. As a visible impact for the user, there will be fewer objects in the archiving bucket, and the naming schema for the objects will change to not include the tags that were grouped into the tag groups that the datasource is based on. The set of events in the bucket will remain the same. This is a cluster risk, so the change is released immediately.
For self-hosted customers: if you need time to change the external systems that read from the archive due to the naming changes, you may disable the
DontSplitSegmentsForArchivingfeature flag (see Enabling & Disabling Feature Flags).For more information, see Tag Grouping.
Deprecation
Items that have been deprecated and may be removed in a future release.
The lastScheduledSearch field from the
ScheduledSearchdatatype is now deprecated and planned for removal in LogScale version 1.202. The new lastExecuted and lastTriggered fields have been added to theScheduledSearchdatatype to replace lastScheduledSearch.
New features and improvements
Administration and Management
Usageis now logged to the humio repository.
Ingestion
Clicking on the parser editor page now produces events that are more similar to what an ingested event would look like in certain edge cases.
You can now validate whether your parser complies to the ??? by clicking the checkbox in the parser editor.
For more information, see Normalize and Validate Against CPS Schema.
Functions
Introducing a new query function
array:dedup()for deduplicating elements of an array.For more information, see
array:dedup().
Fixed in this release
Queries
The query table endpoint client has been fixed as it was unable to receive the response for tables larger than 128 MB, and an error occurred.
A performance regression in the query scheduler has been fixed as it could lead to query starvation and slow searches.
Improvement
Storage
Improved performance when syncing IOCs internally within nodes in a cluster.
Improved the performance of ingest queue message handling that immediately follows a change in the Kafka partition count. Without this improvement, changing the partition count could substantially slow down processing of events ingested before the repartitioning.
Relocation of datasources after a partition count change will now be restarted if the Kafka partition count changes again while the cluster is executing relocations. This ensures that datasource placement always reflects the latest partition count.
Functions
Improving the error message for missing time zones in the
parseTimestamp()function.