Falcon LogScale 1.175.0 GA (2025-02-11)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Downgrades To? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.175.0 | GA | 2025-02-11 | Cloud | 2026-03-31 | No | 1.150.0 | 1.157.0 | No |
Available for download two days after release.
Bug fixes and updates.
Deprecation
Items that have been deprecated and may be removed in a future release.
The
colorfield on theRoletype has been marked as deprecated (will be removed in version 1.195).The
storagetask of the GraphQLNodeTaskEnumis deprecated and scheduled to be removed in version 1.185. This affects the following items:
The
supportedTasksfield of theClusterNodetype.The
assignedTasksfield of theClusterNodetype.The
unassignedTasksfield of theClusterNodetype.The assignTasks() mutation.
The unassignTasks() mutation
The
INITIAL_DISABLED_NODE_TASKSconfiguration variable.LogScale is deprecating free-text searches that occur after the first aggregate function in a query. These searches likely did not and will not work as expected. Starting with version 1.189.0, this functionality will no longer be available. A free-text search after the first aggregate function refers to any text filter that is not specific to a field and appears after the query's first aggregate function. For example, this syntax is deprecated:
logscale Syntax"Lorem ipsum dolor" | tail(200) | "sit amet, consectetur"Some uses of the
wildcard()function, particularly those that do not specify afieldargument are also free-text-searches and therefore are deprecated as well. Regex literals that are not particular to a field, for example/(abra|kadabra)/are also free-text-searches and are thus also deprecated after the first aggregate function.To work around this issue, you can:
Move the free-text search in front of the first aggregate function.
Search specifically in the @rawstring field.
If you know the field that contains the value you're searching for, it's best to search that particular field. The field may have been added by either the log shipper or the parser, and the information might not appear in the @rawstring field.
Free-text searches before the first aggregate function continue to work as expected since they are not deprecated. Field-specific text searches work as expected as well: for example,
myField=/(abra|kadabra)/continue to work also after the first aggregate function.The use of the event functions
eventInternals(),eventFieldCount(), andeventSize()after the first aggregate function is deprecated. For example:Invalid Example for Demonstration - DO NOT USElogscaleeventSize() | tail(200) | eventInternals()Usage of these functions after the first aggregate function is deprecated because they work on the original events, which are not available after the first aggregate function.
Using these functions after the first aggregate function will be made unavailable in version 1.189.0 and onwards.
These functions will continue to work before the first aggregate function, for example:
logscaleeventSize() | tail(200)The
lastScheduledSearchfield from theScheduledSearchdatatype is now deprecated and planned for removal in LogScale version 1.202. The newlastExecutedandlastTriggeredfields have been added to theScheduledSearchdatatype to replacelastScheduledSearch.The
EXTRA_KAFKA_CONFIGS_FILEconfiguration variable has been deprecated and planned to be removed no earlier than version 1.225.0. For more information, see RN Issue.
New features and improvements
Security
Fetching installed Packages and Scheduled PDF Reports now requires either the
Data read accessor, respectively, theChangePackagesandChange scheduled reportrepository & view permissions.
User Interface
The query editor warnings are now also displayed as runtime warnings. As a result, new warnings for some queries might be displayed. For example, queries that use experimental features will now show warnings. These warnings may trigger notifications for alerts and scheduled searches that use features with associated warnings. However, these queries should continue to run normally. Other hints and information in the query editor remain unchanged.
A new IOC Lookup field interaction is now available for IP fields (for example, ip_address). Invoking this interaction will generate a new query by calling the
ioc:lookup()query function. The new query will use the name of the selected IP field as thefieldargument for the function. For example:logscale Syntaxioc:lookup(field=[actor.ip], type="ip_address", confidenceThreshold="unverified", strict=true)For more information, see Field Interactions.
GraphQL API
The s3ResetArchiving() GraphQL mutation now supports resetting cluster wide archiving on a repository through a new
archivalKindfield.
Functions
The new query functions
array:exists()andobjectArray:exists()are now available. They are both used to filter events based on whether the given array contains an element that satisfies a given condition.For performance reasons, LogScale recommends using
array:exists(), but it can be used for flat arrays only (not for nested arrays). For nested arrays (for example JSON structures), useobjectArray:exists()instead.Both functions offer more flexibility compared to
array:contains()in cases where, for example, you need to compare array elements with values from other fields.
Fixed in this release
Storage
An issue related to undersized-merging of existing segments has been fixed. Previously, this process could create segments spanning up to 15 days, even in repositories with shorter retention periods (such as 30 days). Now, the merging process adheres to the
UndersizedMergingRetentionPercentagedynamic configuration. For example, in a repository with a 30-day retention period, the maximum span for undersized-merging output is now 6 days.A bug that was introduced in version 1.173.0 has been fixed. This bug could cause a node to crash when hash filter files were deleted during digest processing.
Queries
An internal file verification job might not start correctly, which in turn may block digest. This issue has now been fixed.