Humio Server 1.19.0 Preview (2021-01-14)

Version?Type?Release Date?Availability?End of Support







Req. Data






JAR ChecksumValue

Important Information about Upgrading

Beginning with version 1.17.0, if your current version of Humio is not directly able to upgrade to the new version, you will get an error if you attempt to start up the incompatible version. The 1.19.0 release is only compatible with Humio release 1.16.0 and newer. This means that you will have to ensure that you have upgraded at least to 1.16.0 before trying to upgrade to 1.19.0. In case you need to do a rollback, this can also ONLY happen back to 1.16.0 or newer. Rolling directly back to an earlier release can result in data loss.


Items that have been deprecated and may be removed in a future release.

Improvements, new features and functionality

  • Other

    • Stateless Ingest-only nodes: A node that the rest of the cluster does not know exists, but is capable of ingesting events into the ingest queue. Enable using NODE_ROLES=ingestonly.

    • Custom ingest tokens making it possible for root users to create ingest tokens with a custom string.

Bug Fixes

  • Configuration

    • New config AUTO_UPDATE_MAXMIND for enabling/disabling updating of all maxmind databases. Deprecates AUTO_UPDATE_IP_LOCATION_DB, but old config will continue to work.

    • New config QUERY_QUOTA_EXCEEDED_PENALTY with value 50 by default. When set >= 1.0 then this throttles queries from users that are over their quota by this factor rather than stopping their queries. Set to 0 to disable and revert to stopping queries.

  • Functions

    • New function hash() for computing hashes of fields. See hash() reference page.

    • Fixed an issue with the cidr() function that would make some IPv4 subnets accept IPv6 addresses and some strings that were not valid IP addresses.

    • Make the query functions window() and series() be enabled by default. They can be disabled by setting the configuration options WINDOW_ENABLED and SERIES_ENABLED to false, respectively.

    • Added a new function for retrieving the ASN number for a given IP address, see asn() reference page.

    • Fixed an issue causing queries using kvParse() to be executed incorrectly in certain circumstances when kvParse() assigned fields starting with a non-alphanumeric character.

    • Fixed an issue where unit-conversion (by timechart) did not take effect through groupBy() and window().

    • Fixed an issue causing queries using kvParse() to filter out too much in specific circumstances when filtering on a field assigned before kvParse().

  • Other

    • New filter function test().

    • Removed config IDLE_POLL_TIME_BEFORE_DASHBOARD_QUERY_IS_CANCELLED_MINUTES. Queries on dashboards now have the same life cycle as other queries.

    • API Changes (Non-Documented API): getFileContent has been moved to a field on the SearchDomain type.

    • The built-in json-for-notifier parser used by the Humio Repository action (formerly notifier) is deprecated and will be removed in a later release. It has been replaced by an identical parser with the name json-for-action, see json-for-action.

    • Notifiers have been renamed to Actions throughout the UI and in log statements. The REST APIs have not been changed and all message templates can still be used.

    • New feature "Event forwarding" making it possible to forward events during ingest out of Humio to a Kafka server. See Event Forwarding documentation. Currently only available for on-prem customers.

    • When a host dies and Humio reassigns digest, it will warn if a fallback host is picked that is in the same zone as existing replicas. Eliminate warning if falling back to a host in the null zone.

    • Renamed LOG4J_CONFIGURATION environment variable to HUMIO_LOG4J_CONFIGURATION. See Configuration Settings.

    • Custom made saved queries, alerts and dashboards in the humio repository searching for events of the kinds metrics, requests or nonsensitive may need to be modified. This is described in more detail in LogScale Internal Logging.

    • Reduced the number of writes to global on restart, due to merge targets not being properly reused.

    • Raised the limit for note widget text length to .00

    • API Changes (Non-Documented API): Queries and Mutations for Parser now expects an id field in place of a name field, when fetching and updating parsers.

    • Improve handling of broken local cache files

    • The Humio Repository action (formerly notifier) now replaces a prefix '#' character in field names with @tag. so that #source becomes @tag.source. This is done to make them searchable in Humio. You can change the name by creating a custom parser. See Action Type: Falcon LogScale Repository.

    • Fixed bug where repeating queries would not validate in alerts.

    • Updated the permission checks when polling queries. This will results in dashboard links "created by users who are either deleted or lost permissions to the view" to get unauthorized. To list all dashboard links, run this graphql query as root:

      query {
        searchDomains {
          dashboards {
            readOnlyTokens {
    • Fixed an rare issue where the digest coordinator would assign digest fewer hosts than configured.

    • Fixed an issue causing Humio to retain deleted minisegments in global for longer than expected.

    • The function parseCEF() now deals with extension fields with labels, i.e. cs1=Value cs1Label=Key becomes cef.label.Key=Value.

    • In the GraphQL API, the value ChangeAlertsAndNotifiers on the Permission enum has been deprecated and will be removed in a later release. It has been replaced by the ChangeTriggersAndActions value. The same is true for the ViewAction enum. On the ViewPermissionsType type, the administerAlertsfield has been deprecated and will be removed in a later release. It has been replaced by the administerTriggersAndActions field.

    • Fixed an issue where segment merge occasionally reported BrokenSegmentException when merging, while the segments where not broken.

    • Introduction of the new log file humio-requests.log. Also the log format for the files humio-metrics.log and humio-nonsensitive.log has changed as described above. See Log LogScale to LogScale.

    • Cluster management stats now shows segments as underreplicated if they are replicated to enough hosts, but are not present on all configured hosts.

    • unit on timechart (and bucket) now works also when the function within uses nesting and anonymous pipelines.

    • Fixed a bug where fullscreen mode could end up blank

    • Fixed an issue that could cause node id assignment to fail when running on ephemeral disks and using Zookeeper for node id assignment. Nodes in this configuration will now try to pick a new id if their old id has been acquired by another node.

    • Made cluster nodes log their own version as well as the versions of all other nodes. This makes it easier to tell which versions are running in the cluster.

    • API Changes (Non-Documented API): Getting Alert by ID has been moved to a field on the SearchDomain type.

    • Improved app loading logic.

    • The transfer job will delete primary copies shortly after transferring the segments to secondary storage. The copies would previously only be deleted once a full bulk had been moved.

    • New ingest endpoint /api/v1/ingest/raw for ingesting singular webcalls as events. See Ingest API - Raw Data documentation.

    • Fixed an issue where canceling queries could produce a spurious error log.

    • Raised the parser test character length to .00.

    • Fixed crash in CleanupDatasourceFilesJob when examining a file size fails due to that file being deleted concurrently.

    • Fixed timeout issue in S3 Archiving

    • The configuration option HTTP_PROXY_ALLOW_NOTIFIERS_NOT_USE has been renamed to HTTP_PROXY_ALLOW_ACTIONS_NOT_USE. The old name will continue to work.

    • In the GraphQL API, on the Alert type, the notifiers field has been deprecated and will be removed in a later release. It has been replaced by the actions field.

    • The names of the metadata fields added by the Humio Repository action (formerly notifier) has been changed to accomodate that it can now also be used from scheduled searches. See Action Type: Falcon LogScale Repository.

    • The configuration option IP_FILTER_NOTIFIERS has been renamed to IP_FILTER_ACTIONS. The old name will continue to work.

    • New feature "Scheduled Searches" making it possible to run queries on a schedule and trigger actions (formerly notifiers) upon query results. See Scheduled Searches.

    • No longer overwrite the humio parser in the humio repository on startup.

    • Fixed an issue with updating user profile, in some situations save failed.

    • New validation when creating an ingest token using the API that the parser, if specified, actually exists in the repository.

    • For ingest using a URL with a repository name in it, Humio now fails ingest if the repository in the URL does not match the repository of the ingest token. Previously, it would just use the repository of the ingest token.

    • The built-in bro-json parser is deprecated and will be removed in a later release. It has been replaced by an identical parser with the name zeek-json, see zeek-json.

    • Added config option for Auth0 based sign on method: AUTH_ALLOW_SIGNUP defaults to true. The config is forwarded to the auth0 configuration for the lock widget setting: allowSignUp

    • Fixed an issue causing the secondary storage transfer job to select and queue too many segments for transfer at once. The job will now stop and recalculate the bulk to transfer periodically.

    • Kafka client inside Humio has been bumped from 2.4.1 to 2.6.0.

    • Fixed an issue where the filter and groupBy buttons on the search page would not restart the search automatically

    • Fixed a rare issue where a node that was previously assigned digest could write a segment to global, even though it was no longer assigned the associated partition.

    • Fixed an issue where the segment rewrite job handling event deletion might rewrite segments sooner than configured.

    • Add an error message to the event if the user is trying to redirect it to another repo using #repo, and the target repo is invalid.

    • Fixed logic for when the organization owner panel should be shown in the User's Danger zone.

    • Upgraded Log4j2 from 2.13.3 to 2.14.0.

    • Added timeout for TCP ingest listeners. By default the connection is closed if no data is received after 5 minutes. This can be changed by setting TCP_INGEST_MAX_TIMEOUT_SECONDS. See Ingest Listeners.

    • Added mutation to update the runAsUser for a read only dashboard token.

    • Humio no longer deletes an existing humio-search-all view if the CREATE_HUMIO_SEARCH_ALL environment variable is false. The view instead becomes deleteable via the admin page.

    • Reduce contention on the query scheduler input queue. It was previously possible for large queries to prevent each other from starting, leading to timeouts.

    • Fixed an issue which caused free-text-search to not work correctly for large (>64KB) events.

    • Humio will only allow using Zookeeper for node id assignment (ZOOKEEPER_URL_FOR_NODE_UUID) when configured for ephemeral disks (USING_EPHEMERAL_DISKS). When using persistent disks, there is no need for the extra complexity added by Zookeeper.

  • Packages

    • Introduced humio insights package that is installed per default on startup on the humio repository.


  • UI Changes

    • The new query editor has a much better integration with Humio's query language. It will give you suggestions as you type, and gives you inline errors if you make a mistake. We will continue to improve the capabilities of the query editor to be aware of fields, saved queries, and other contextual information.

  • Functions

    • A new function called test() has been added for convenience. What used to be done like: tmp := <expression> | tmp=true can now be done using: test( <expression> ). Inside <expression> field names appearing on the right hand side of an equality test, such as field1==field2 compares the values of the two fields. When comparing using = at top-level field1=field2 compares the value of field1 against the string "field2". This distinction is a cause of confusion for some users, and using test() simplifies that.

  • Other

    • With the introduction of Humio packages we have created the Insights Package. The application is a collection of dashboards and saved searches making it possible to monitor and observe a Humio cluster.

    • We have made small changes to how Humio logs internally. We did this to better support the new Insights Package. We have tried to keep the changes as small and compatible as possible, but we have made some changes that can break existing searches in the humio repository (or other repositories receiving Humio logs). We made these changes as we think they are important in order to improve things moving forward.

      Read more about the details of LogScale Internal Logging.

  • Packages

    • This version introduces Humio packages - a way of bundling and sharing assets such as dashboards and parsers. You can create your own packages to keep your Humio assets in Git or create utility packages that can be installed in multiple repositories. All assets can be serialized to YAML files (like what has been possible for dashboards for a while). With tight integration with Humio's CLI humioctl you can install packages from local disk, URL, or directly from a Github repository. Packages are still in beta, but we encourage you do start creating packages yourself, and sharing them with the community. At Humio we are also very interested in talking with package authors about getting your packages on our upcoming marketplace.

      Read more about Packages.