Falcon LogScale 1.182.0 GA (2025-04-01)

Version?Type?Release Date?Availability?End of SupportSecurity UpdatesUpgrades From?Downgrades To?Config. Changes?
1.182.0GA2025-04-01

Cloud

Next LTSNo1.150.01.157.0No

Available for download two days after release.

Bug fixes and updates.

Removed

Items that have been removed as of this release.

GraphQL API

  • The following items have been removed:

    • assetType field on the types Alert, Dashboard, ViewInteraction, and SavedQuery.

    • GraphQL mutations createAlertFromTemplate, createAlertFromPackageTemplate, createScheduledSearchFromTemplate, and createScheduledSearchFromPackageTemplate.

    • Enumeration value ChangeTriggersAndActions from the enumeration types Permission and ViewAction.

Deprecation

Items that have been deprecated and may be removed in a future release.

  • The color field on the Role type has been marked as deprecated (will be removed in version 1.195).

  • The storage task of the GraphQL NodeTaskEnum is deprecated and scheduled to be removed in version 1.185. This affects the following items:

  • LogScale is deprecating free-text searches that occur after the first aggregate function in a query. These searches likely did not and will not work as expected. Starting with version 1.189.0, this functionality will no longer be available. A free-text search after the first aggregate function refers to any text filter that is not specific to a field and appears after the query's first aggregate function. For example, this syntax is deprecated:

    logscale Syntax
    "Lorem ipsum dolor" 
| tail(200)         
| "sit amet, consectetur"

    Some uses of the wildcard() function, particularly those that do not specify a field argument are also free-text-searches and therefore are deprecated as well. Regex literals that are not particular to a field, for example /(abra|kadabra)/ are also free-text-searches and are thus also deprecated after the first aggregate function.

    To work around this issue, you can:

    • Move the free-text search in front of the first aggregate function.

    • Search specifically in the @rawstring field.

    If you know the field that contains the value you're searching for, it's best to search that particular field. The field may have been added by either the log shipper or the parser, and the information might not appear in the @rawstring field.

    Free-text searches before the first aggregate function continue to work as expected since they are not deprecated. Field-specific text searches work as expected as well: for example, myField=/(abra|kadabra)/ continue to work also after the first aggregate function.

  • The use of the event functions eventInternals(), eventFieldCount(), and eventSize() after the first aggregate function is deprecated. For example:

    Invalid Example for Demonstration - DO NOT USE
    logscale
    eventSize() | tail(200) | eventInternals()

    Usage of these functions after the first aggregate function is deprecated because they work on the original events, which are not available after the first aggregate function.

    Using these functions after the first aggregate function will be made unavailable in version 1.189.0 and onwards.

    These functions will continue to work before the first aggregate function, for example:

    logscale
    eventSize() | tail(200)

  • The setConsideredAliveUntil and setConsideredAliveFor GraphQL mutations are deprecated and will be removed in 1.195.

  • The lastScheduledSearch field from the ScheduledSearch datatype is now deprecated and planned for removal in LogScale version 1.202. The new lastExecuted and lastTriggered fields have been added to the ScheduledSearch datatype to replace lastScheduledSearch.

  • The EXTRA_KAFKA_CONFIGS_FILE configuration variable has been deprecated and planned to be removed no earlier than version 1.225.0. For more information, see RN Issue.

Behavior Changes

Scripts or environment which make use of these tools should be checked and updated for the new configuration:

  • Configuration

    • KAFKA_MANAGED_BY_HUMIO has an updated behavior. When the default setting KAFKA_MANAGED_BY_HUMIO=true is applied, LogScale will:

      • Set up new topics (ingest queue, global and chatter) using default settings

      • No longer modify existing topic configurations to conform to these defaults

      Key benefits of this change:

      • Clearer separation of responsibilities between LogScale and Kafka

      • Topic settings management should be handled via Kafka admin scripts, not by editing LogScale settings.

      Important

      Ensure Kafka cluster is fully operational and verify the required number of brokers in the Kafka cluster: LogScale will fail to start if topic creation is needed and the available Kafka brokers are less than the number necessary to hit the configured replication factor.

      The following configuration options now only apply on initial creation of a topic:

      Customers wishing to customize these can do so via the scripts shipping with their Kafka install, for example kafka/bin/kafka-configs.sh.

      The following configuration variables are now available, and are only applied when a topic is being initially created:

      The min.insync.replicas setting will be initially set to the replication factor minus 1, to allow for the loss of one replica.

      You can customize these settings via the scripts shipping with your Kafka install, for example kafka/bin/kafka-topics.sh and kafka/bin/kafka-configs.sh.

      The default initial replication factor for the ingest queue is now 3, it was previously 2.

Upgrades

Changes that may occur or be required during an upgrade.

  • Installation and Deployment

    • The bundled JDK version is now being upgraded to Java 24.

      Due to a version update of the bundled timezone database in the JDK, users may encounter slight changes in LogScale query behavior: previously, the EST, HST and MST time zone identifiers were linked to the -05:00, -07:00 and -10:00 time zone offsets. They are now linked to America/Panama, America/Honolulu and America/Phoenix. While this doesn't change the time zone behavior itself, it may impact queries that look for time zone identifier strings. For example, the query:

      logscale
      createEvents("a=b") 
 | kvParse() 
 | formatTime(format="%Z", as="timezone", timezone=EST) 
 | select(timezone)

      would return -05:00 on earlier releases. As of this release, it will return America/Panama.

      Due to a version update of the bundled CLDR locale data in the JDK, users may encounter slight changes in LogScale query behavior:

      • First day of week is Monday in UAE, see CLDR-15697

      • Default numbering system for Arabic in non-Arabic-speaking locations, see CLDR-17553

      • Comma is added for some date formatting patterns, see CLDR-17812

      • Some time zone names changed due to them becoming links to other zones, see CLDR-17960

      Due to a version update of the bundled Unicode version in the JDK, users may encounter slight changes in LogScale query behavior:

      • Sorting on strings and case-insensitive regex matching may change to be more correct now if your data contains certain Unicode characters.

      • This Java release upgrades the Unicode version to 16.0, which includes updated versions of the Unicode Character Database and Unicode Standard Annexes #9, #15, and #29.

      • Unicode has added 5,185 new characters, for a total of 154,998 characters. The new additions include seven new scripts:

        • Garay is a modern-use script from West Africa.

        • Gurung Khema, Kirat Rai, Ol Onal and Sunuwar are four modern-use scripts from Northeast India and Nepal.

        • Todhri is an historic script used for Albanian.

        • Tulu-Tigalari is an historic script from Southwest India.

      For more details about Unicode 16.0, refer to Unicode Consortium's release note.

New features and improvements

  • User Interface

    • For Self-hosted customers only. Shared files are now integrated into the file list, appearing alongside repository-scoped and view-scoped files. This unified display provides better visibility and easier access to all available files.

  • Automation and Alerts

    • Logs for Alert and Scheduled search queries now contain the id and name of the alert (alertId and alertName) or scheduled search (scheduledSearchId and scheduledSearchName).

    • The Triggers overview now displays new columns:

      • Description
      • Last error
      • Next planned execution (only for scheduled searches)

  • API

    • The new update-uploaded-files-storage-target subpath is now available for the bucket-storage-target endpoint. The endpoint has a POST form and uses the same arguments as update-segments-storage-target. The GET /api/v1/bucket-storage-target endpoint is being updated to include shared ReplicableFiles in the uploaded files count.

  • Configuration

  • Ingestion

    • In the parser editor, fields on a test case output that contain both numbers and letters will now take numbers into account, sorting numbers numerically rather than lexicographically. For example, the fields myArray[1], myArray[10], and myArray[2] will now be ordered as myArray[1], myArray[2], and myArray[10].

  • Dashboards and Widgets

    • The Label setting for dashboard parameters has now an increased limit of 200 characters.

  • Queries

    • Searches on @id now target the specific segment when possible. Support for OR is also now available: when the OR operator is used on @id, you can find a few selected events using this operator efficiently. This optimization only applies to @id OR conditions — not if OR mentions criteria other than @id.

  • Functions

Fixed in this release

  • Security

    • In rare cases, references would not be cleaned up properly when deleting a role. Any further attempts to remove these references would fail. This issue has now been fixed.

  • User Interface

    • The Delete File menu item is now correctly disabled when the user lacks deletion permissions.

  • Storage

    • Global offset was not updating during patch updates, which could create duplicate global snapshot names with different contents. This issue has now been fixed so that all global updates will now update the offset and should no longer produce the same snapshot name twice.

    • Debug log lines could be missing if LogScale crashed during the boot sequence.

  • Dashboards and Widgets

    • The Table widget has been fixed as it would display an empty page on a dashboard when applying a parameter or dashboard filter.

  • Queries

    • Fixed an issue where in rare cases a static query might terminate early and include incomplete results.

    • Fixed an issue where the execution time of a static query did not include the result phase of the execution.

    • Fixed an issue where a query could be incorrectly started from a cached state, which would lead to its failure. This specifically happened for static queries which ended in the past, for example end != "now".

    • Regexes in queries using the LogScale Regular Expression Engine V2 would give unreadable diagnostics. For example, before the fix the regex /\c/F would produce the diagnostic message: Couldn't compile regex. Problems: List((EscapeSequenceIncomplete(),0,2)). The issue has been fixed so that the same regex now correctly produces the diagnostic message: Escape sequence incomplete. This escape sequence (starting with a '\') is not syntactically valid. It is perhaps incomplete, or not intended to be an escape sequence.

    • Improving error handling for remote responses in LogScale Multi-Cluster Search, by fixing incorrect error reporting that was masking underlying issues.

  • Other

    • An LsCpuJob issue showing up in logs is being fixed, as it incorrectly assumed that the string output from the lscpu shell command could not contain colons.

Improvement

  • Queries

    • A performance improvement has been implemented for queries combining multiple text searches with different tag filters, through reduced data scan volume. Example query:

      logscale
      #event=ConnectIP4 OR (#event=ReceiveAcceptIP4 AND RemoteAddressIP4=12.34.56.78)