Falcon LogScale 1.180.0 GA (2025-03-18)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Downgrades To? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.180.0 | GA | 2025-03-18 | Cloud | Next LTS | No | 1.150.0 | 1.157.0 | No |
Available for download two days after release.
Bug fixes and updates.
Deprecation
Items that have been deprecated and may be removed in a future release.
The
colorfield on theRoletype has been marked as deprecated (will be removed in version 1.195).The
storagetask of the GraphQLNodeTaskEnumis deprecated and scheduled to be removed in version 1.185. This affects the following items:
The
supportedTasksfield of theClusterNodetype.The
assignedTasksfield of theClusterNodetype.The
unassignedTasksfield of theClusterNodetype.The assignTasks() mutation.
The unassignTasks() mutation
The
INITIAL_DISABLED_NODE_TASKSconfiguration variable.LogScale is deprecating free-text searches that occur after the first aggregate function in a query. These searches likely did not and will not work as expected. Starting with version 1.189.0, this functionality will no longer be available. A free-text search after the first aggregate function refers to any text filter that is not specific to a field and appears after the query's first aggregate function. For example, this syntax is deprecated:
logscale Syntax"Lorem ipsum dolor" | tail(200) | "sit amet, consectetur"Some uses of the
wildcard()function, particularly those that do not specify afieldargument are also free-text-searches and therefore are deprecated as well. Regex literals that are not particular to a field, for example/(abra|kadabra)/are also free-text-searches and are thus also deprecated after the first aggregate function.To work around this issue, you can:
Move the free-text search in front of the first aggregate function.
Search specifically in the @rawstring field.
If you know the field that contains the value you're searching for, it's best to search that particular field. The field may have been added by either the log shipper or the parser, and the information might not appear in the @rawstring field.
Free-text searches before the first aggregate function continue to work as expected since they are not deprecated. Field-specific text searches work as expected as well: for example,
myField=/(abra|kadabra)/continue to work also after the first aggregate function.The use of the event functions
eventInternals(),eventFieldCount(), andeventSize()after the first aggregate function is deprecated. For example:Invalid Example for Demonstration - DO NOT USElogscaleeventSize() | tail(200) | eventInternals()Usage of these functions after the first aggregate function is deprecated because they work on the original events, which are not available after the first aggregate function.
Using these functions after the first aggregate function will be made unavailable in version 1.189.0 and onwards.
These functions will continue to work before the first aggregate function, for example:
logscaleeventSize() | tail(200)The setConsideredAliveUntil and
setConsideredAliveForGraphQL mutations are deprecated and will be removed in 1.195.The
lastScheduledSearchfield from theScheduledSearchdatatype is now deprecated and planned for removal in LogScale version 1.202. The newlastExecutedandlastTriggeredfields have been added to theScheduledSearchdatatype to replacelastScheduledSearch.The
EXTRA_KAFKA_CONFIGS_FILEconfiguration variable has been deprecated and planned to be removed no earlier than version 1.225.0. For more information, see RN Issue.
New features and improvements
Storage
These two features are now enabled by default:
DigestersDontNeedMergeTargetMinisSegmentRebalancerHandlesMinis
This configuration ensures faster digest reassignment by reducing the number of mini segments fetched by LogScale.
LogScale will now crash if the target bucket for writing is marked
readOnlywhile the cluster is running.
GraphQL API
Enabled the
ReplacePeriodicIngestOffsetPushingfeature flag by default, which reduces the load on global from updates to datasourceingestOffsets.
API
Introduced two new API extensions for the Query Jobs API:
Export API. Enables exporting query results in multiple formats:
CSV
JSON
NDJSON
Plain-text
Pagination API:
Enables result pagination instead of receiving complete results per poll
Supports sorting results by specified fields/columns
Helps protect query clients from large result sets.
For more information, see Export API, Pagination API.
Queries
Added an optional field statistics computation to the query result. This computation finds all the fields of the result and the 10 most common values for each field. This is the same information that powers the fields panel of the LogScale UI.
This computation must be enabled on a per-query basis, which can be done by adding the field
trueto the query input.
Functions
From this release, LogScale increases the limits for the functions:
sort(),table(),tail(), andhead(). These functions can now return up to 50,000 rows (previously 20,000). The maximum row limit is planned to be increased in upcoming releases. You can use thelimit=maxargument in your queries to always utilize the current settings. Notes:Queries are limited to a 1GB state size. If this limit is reached, functions may return fewer rows.
The default value for the
limitparameter is 200. This limit will be increased forsort()andtail()functions in upcoming releases.limit=maxsyntax is currently not supported in Multi-Cluster Search setups. LogScale will support it starting from version 1.189.For Self-Hosted environments, the new maximum limit set through the
StateRowLimitdynamic configuration is controlled by the Feature FlagSortNewDatastructure, which is enabled by default. Plan is to remove this Feature Flag in version 1.189.
Fixed in this release
User Interface
When trying to get a token via the UI, the display of the token would close before users could copy it. This issue has now been fixed.
Automation and Alerts
Aggregate alerts no longer warn about ingest delay when the delay is not relevant for the aggregate alert.
Storage
Fixed an issue where a node might crash during the digest phase due to incorrect state tracking.
If a bucket was previously used as the source for disaster recovery via
S3_RECOVER_FROM_KMS_KEY_ARNconfiguration, and the cluster configuration was updated to use that bucket again as theS3_STORAGE_BUCKET, the global state of the bucket was not correctly updated, causing LogScale to upload the same files repeatedly into the bucket in an attempt to perform disaster recovery. This issue has been fixed.
Dashboards and Widgets
Fixed an issue in the
Bar Chartwidget where the series would not be found automatically even with the fields present in the query result.
Queries
Simplifications around Query Coordination for cluster queries have been made internally to fix an issue which, in rare cases, could lead to a query that is handed over without a coordinator.
Query state issues during query restarts have been addressed to resolve or reduce these behaviors:
Queries returning a 404 error during restart operations
Queries displaying an incorrect stopped status
Functions
Before this fix,
array:eval()andobjectArray:eval()might cause an internal error or return incorrect/garbled data, depending on the internal representation of the event they were working on.
Improvement
User Interface
Events ListandTablewidgets now load large query results faster through the new Pagination API implementation.
Automation and Alerts
Added more fields to some of the logs for aggregate alerts in the humio-activity repository.
Scheduled searches can now also run on the @ingesttimestamp. A configurable Max wait time property on scheduled searches that runs on @ingesttimestamp is used to catch events that are delayed in the ingestion pipeline, or to wait for query warnings about missing data and errors. The @ingesttimestamp is the default timestamp set on all new scheduled searches.
With this change, the GraphQL mutations createScheduledSearch and updateScheduledSearch have been deprecated for removal in 1.231 and createScheduledSearchV2 and updateScheduledSearchV2 will replace them.
For more information about scheduled searches and their timestamps, see Ingest delay for scheduled searches. For information about the Max wait time property, see Max wait time.
A link is now being added to open the query on the
Searchpage when the trigger is in read-only state on theTriggersoverview.
Storage
LogScale nodes will now delay moving segments away from gracefully terminated nodes, to avoid moving segments unnecessarily for ordinary reboots. The default delay is 5 minutes. Nodes being removed long-term from the cluster should be evicted first, which will disable this delay. It is possible to adjust the delay using the
GracefulShutdownConsideredAliveSecondsdynamic configuration.
Dashboards and Widgets
When exporting a dashboard as a template file, the field queryString for a interaction and the field urlTemplate for a interaction no longer require minimum lengths and can be empty.
The Link option for formatting columns in the
Tablewidget now allows for opening links in a new tab.Dashboards now load query results faster due to optimized field statistics calculations.
Queries
The Query Coordinator now accurately tracks client polls' frequency. This improvement prevents unnecessary polling operations in those cases where clients do not poll the query as frequently as allowed, as with alerts for example.