Falcon LogScale 1.227.0 GA (2025-02-10)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Downgrades To? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.227.0 | GA | 2025-02-10 | Cloud | Next LTS | No | 1.150.0 | 1.177.0 | No |
Available for download two days after release.
Hide file download links
Download
Use docker pull humio/humio-core:1.227.0 to download the latest version
Bug fixes and updates
Breaking Changes
The following items create a breaking change in the behavior, response or operation of this release.
GraphQL API
Improved resource management controls to ensure system stability and performance for GraphQL query processing. These changes will not impact normal usage of __ls_shorname__'s UI and API.
Storage
Removed the feature flag
WriteNewSegmentFileFormat, making the new segment file format mandatory. This feature was introduced in version 1.138 to improve segment file compression and became enabled by default in version 1.162.Important
After deploying this version, clusters cannot be downgraded to versions older than 1.177.
Configuration
The
MAX_GRAPHQL_QUERY_DEPTHenvironment variable has been removed. Use theGraphQLQueryDepthLimitdynamic configuration variable instead.For information about setting dynamic configurations, see Setting a Dynamic Configuration Value. A list of available GraphQL dynamic configurations can be found at Dynamic Configuration Parameters when filtering by "GraphQL".
Queries
The Regular Expression Engine V2 is now promoted as the default regex engine used by LogScale. This change brings deprecations of environment variables related to using another engine than the default, and brings changes to the semantics of the regular expression syntax.
Notable changes:
Octal notation (
\nnn) is no longer supported. Use hexadecimal notation instead (\xnn, '\x{nnnn}', or\unnnn). This change was made to address potential octal notation overlaps with the backreference syntax, creating an opportunity for error, e.g. when trying to match IP addresses.
\vnow represents vertical whitespace instead of just vertical tabulation. Use\x0Bfor vertical tabulation specifically.
\hnow represents horizontal whitespace instead of the literalhcharacter. To match the characterhspecifically, remove the backslash. To match the characters\h, use the appropriate escaping of the backslash by using another backslash, that is,\\h.Unrecognized escape sequences like
\lnow return an error instead of referring to literal characters.The notations
\band\wnow have the same "word character" class definition, namely any ASCII letter, digit, or the_character.Inline flags now apply to all branches of an alternation, meaning
(?i)foo|baris interpreted as(?i)(?:foo|bar), whereas before it would only apply to the first branch of the alternation, in the above casefoo.The following environment variables are now deprecated:
USE_JAVA_REGEX
USE_JAVA_REGEX_FOR_INTERNALSThese environment variables will become ineffective with version 1.238.
These changes make LogScale's regular expressions more consistent with other popular regex engines and syntaxes such as PCRE2, Java's regex engine, and ECMAScript's regex engine.
Note
LogScale's regular expressions are not fully compatible with these regex engines.
With the introduction of the new regex default engine, we are phasing out the use of other engines. Flags for using a particular engine such as
Fare deprecated, and will be removed from the query language with version 1.274.These changes address the following issues:
The old engine would run indefinitely upon matching regular expressions that match the empty string.
Issues where otherwise valid regular expressions would fail to compile under the old engine.
Issues where a regex would cause the Java Virtual Machine (JVM) to crash.
Issues where the case-sensitivity flag would interfere with boundary conditions.
Issues where inline case-insensitivity flags wouldn't properly apply to the corresponding group.
Issues where the negated word character class
\Wwould incorrectly match digits.Issues where the previous engine would mismanage group numbering.
Note
Users may experience warnings and error messages that are formatted incorrectly during the period where the old regex engine is phased out. This should resolve by version 1.238.
Note
Users may experience an increase in speed overall with the new engine. Any evidence of regular expressions experiencing a reduction in speed should contact LogScale at CrowdStrike Customer Center.
Advance Warning
The following items are due to change in a future release.
Security
Starting from LogScale version 1.237, support for insecure
ldapconnections will be removed. Self-Hosted customers using LDAP will only be able to useldapssecure connections.
Removed
Items that have been removed as of this release.
Configuration
The environment variable
TEMP_SHORTCUT_EXTERNAL_FUNCTION_CALLSis no longer used by LogScale and can be safely removed.
Deprecation
Items that have been deprecated and may be removed in a future release.
The userId parameter for the updateDashboardToken GraphQL mutation has been deprecated and will be removed in version 1.273.
rdns()has been deprecated and will be removed in version 1.249. UsereverseDns()as an alternative function.The Secondary Storage feature is now deprecated and will be removed in LogScale 1.231.0.
The Bucket Storage feature provides superior functionality for storing rarely queried data in cheaper storage while keeping frequently queried data in hot storage (fast and expensive). For more information, see Bucket Storage.
Please contact LogScale support for any concerns about this deprecation.
Behavior Changes
Scripts or environment which make use of these tools should be checked and updated for the new configuration:
Queries
The
QuerySessionsclass now propagates user permission changes to running static queries, allowing them to end or restart as necessary. Previously, this behavior was only applied to live queries.
New features and improvements
Automation and Triggers
It is now possible to configure filter and aggregate alerts to throttle on multiple fields.
To support this change, the following GraphQL changes have been made:
The GraphQL argument throttleField has been deprecated and replaced with with throttleFields for types FilterAlert, AggregateAlert, UnsavedFilterAlert, and UnsavedAggregateAlert.
The GraphQL argument throttleField has been deprecated and replaced it with throttleFields in mutations createFilterAlert and createAggregateAlert.
Mutations updateFilterAlert and updateAggregateAlert have been deprecated and replaced with updateFilterAlertV2 and updateAggregateAlertV2.
The main difference is that the throttleField field is being removed and a throttleFields field is being added.
GraphQL API
Extended the analyzeQuery() GraphQL endpoint to support alerts. The
queryKindparameter now supports the following values:For filter alerts: { filterAlert: {} }
For aggregate alerts: { aggregateAlert: {} }
For legacy alerts: { legacyAlert: {} }
Note
Alerts have restrictions beyond the query string, in particular regarding the time interval of a query. Those restrictions are outside the scope of the validation done by analyzeQuery().
Queries
Added support for unicode categories in LogScale's new regex engine using
\p{L}syntax. Supported categories include:Letters (
L)Symbols (
S)Punctuation (
P)Control characters (
Cc)
These categories can also be used in character classes like
[\p{S}A-Z])and negated using\P{L}.For more information, see Regular Expression Engine V2 Syntax Patterns.
Functions
Released the new query function
explain:asTable(), which provides detailed insights into query performance by showing a step-by-step breakdown of time consumption and event filtering throughout the query.
Fixed in this release
User Interface
Fixed an issue with correlate query graph visualization, where nodes and edges would not render correctly in certain circumstances.
These two wrong behaviors have been fixed in the web interface:
The Events tab would not show when the main correlate query did not return results.
A wrong default widget was selected by the Widget selector.
Automation and Triggers
Fixed an issue where the creation of a scheduled report without parameter values would result in an invalid and failing result.
Storage
Fixed an issue where global snapshot failure would prevent further attempts until system restart.
Fixed an issue occurring during offset calculation for digest that could cause minisegments that go missing before being fully replicated to be incorrectly deleted and replayed from Kafka.
This occurred only in datasources that were recently created or whose status had recently changed from idle to non-idle. In the future, these minisegments will appear in the cluster admin panel designated as "absent".
Fixed an issue where a failing assertion in
DataSyncJobcould cause a system crash in very rare cases.
Functions
Fixed an issue where using the function
wildcard()as part of an expression (for exampletest(wildcard(...))) would result in an internal server error. The proper query validation error now correctly displays in the query editor.
Known Issues
Storage
For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (i.e. the storage usage on the primary disk is halfway between
PRIMARY_STORAGE_PERCENTAGEandPRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.
Improvement
Automation and Triggers
The
Triggersoverview page has been updated with the following improvements:Sorting is now available for all columns.
The Search... field now supports filtering across all columns.
The and filtering options are now available for quickly selecting all items and then excluding single items, and for quickly identifying triggers with no label, action, or package attached.
Both options are available for the Labels, Actions and Packages columns.
For more information, see Manage triggers.
Storage
Added a delay between retry attempts when global snapshot uploads fail.
Queries
The election process regarding slow queries has been updated to the following parameters:
Changed the threshold from 100 times slower to 500 times slower for vote casting.
Increased vote timeout from 5 minutes to 15 minutes.
When a node is elected as problematic by the entire cluster within the timeout period, it is logged with the message These nodes were deemed bad by the rest of the cluster.
Improved query throttling for segment merges. Queries are not throttled if segment merging falls behind due to slow segment fetches.