Falcon LogScale 1.80.0 Preview (2023-03-07)

Version?Type?Release Date?Availability?End of Support







Req. Data







Bug fixes and updates.

Behavior Changes

Scripts or environment which make use of these tools should be checked and updated for the new configuration:

  • Ingestion

    • Ingested events would not be limited in size if the bulk of the data in the event was in fields other than @rawstring. This will now be enforced. Events that exceed the limit on event size at ingest are handled as follows:

      • @rawstring is truncated to the maximum allowed length, and all other fields are dropped from the event.

      • @timestamp becomes the ingest time.

      • @timezone becomes UTC.

      (This is identical to the previous handling of oversized @rawstring).


Changes that may occur or be required during an upgrade.

  • Other

    • Kafka client has been upgraded to 3.4.0.

      Kafka broker has been upgraded to 3.4.0 in the Kafka container.

      The container upgrade is performed for security reasons to resolve CVE-2022-36944 issue, which Kafka should however not be affected by. If you wish to do a rolling upgrade of your Kafka containers, please always refer to Kafka upgrade guide.

Improvements, new features and functionality

  • UI Changes

    • Whether one can create a new repository is now controlled by the Create repository permission in the UI.

  • Configuration

    • Removed NEW_VHOST_SELECTION_ENABLED as a configuration option. The option has been true by default since 1.70; an opt-out is no longer needed.

  • Dashboards and Widgets

    • Changed the query editor when editing dashboard queries to be the same that is used on the Search page.

  • Log Collector

    • New Template feature added to the Fleet Management page, which allows you to:

      • upload a yaml file when creating a new configuration

      • export either the published or draft version of a configuration file.

      For more information, see Fleet Management Overview.

  • Functions

  • Other

    • Added backend support for organization level query monitor. The new MonitorQueries permission now allows viewing queries that are running within the organization.

  • Packages

    • Interactions installed from a package use the new repository where the package is installed.

Bug Fixes

  • UI Changes

    • A high CPU usage in the UI since LogScale 1.75 when the Time Zone Selector dropdown was displayed has now been fixed.

  • Configuration

    • Automatic generation and updating of the digest partitions table has been enabled, and manual editing is no longer supported. See Digest Rules for reference.

      The table will be kept up to date based on the following node-level settings (see Starting a New LogScale Node):

      • ZONE defines a node's zone. The table we generate will attempt to distribute segments across as many zones as possible.

      • Nodes will appear in the table more often if they have many cores. Nodes with fewer cores will appear less often.

      • Nodes with a NODE_ROLES setting that excludes digest work will not appear in the table.

      A cluster-level setting has also been introduced: setDigestReplicationFactor GraphQL mutation configures the replication factor to use for the table. This is also settable via the environment variable DEFAULT_DIGEST_REPLICATION_FACTOR.

      Automatic management of the digest partition table is now handled by the environment variable DEFAULT_ALLOW_UPDATE_DESIRED_DIGESTERS. We intend to remove the option to handle digest partitions manually in the future.

  • Dashboards and Widgets

    • Keyboard combinations cmd+Z/Ctrl+Z no longer deletes the query on dashboard widgets.

  • Functions

    • A performance issue in collect() when it collected many values has been fixed.

    • Validation of join() and join-like functions in conditional expressions and subqueries not having positional information has been fixed.

    • Fixed an issue where joins in case statements, match statements, and subqueries would mark the entire query as erroneous.

  • Other

    • Some minisegments would be excluded from queries in cases where those minisegments had previously been merged, but the merge was reverted.

    • Minisegments would be removed too early from nodes which were querying them, causing queries to be missing some data.

    • Two hosts booted at around the same time would conflict on which vhost number to use, causing one of the hosts to crash.

    • Avoid caching warnings that some data segments could not be found on any servers. This prevents queries from displaying this warning spuriously.