Falcon LogScale 1.97.0 Preview (2023-07-04)

Version?Type?Release Date?Availability?End of Support







Req. Data







Bug fixes and updates.

Advanced Warning

The following items are due to change in a future release.

  • Installation and Deployment

    • Support for running on Java 11, 12, 13, 14, 15 and 16 will be removed by the end of September 2023.

Improvements, new features and functionality

  • Security

    • All view permission tokens created from now on will not be able to run queries based on the user who created it (legacy behavior due to user requirement for queries). They will however be able to run queries on behalf of the organization given the right permissions.

      Existing view permission tokens and the resources (scheduled searches, alerts, etc.) are unaffected by this change. For any view permission tokens created after this change, the scheduled searches, alerts, etc. created using these tokens, will run based on the organization instead of the user who created the token.

      This addresses the issue where, for example, alerts created using a view permission token would fail to run if the user who created the token was removed from the organization or if the permissions needed to run the alert was removed from the user. With the new behaviour the alert will continue working even though the user is removed or looses the required permissions to run the alert.

    • Migration from the legacy Organization Shared Dashboard IP filter to the Dashboard Security Policies for sharing dashboards will be done by Creating an IP Filter corresponding to the old filter. If the migration can be performed, this IP Filter will be set on all shared dashboards and set as the Shared Dashboard IP filter Security Policy for the organization. If migration cannot be done, a notification will be displayed to the organization owner explaining how to complete the migration manually. Migration cannot be done when there is a shared Dashboard that has an IP filter other than the legacy Organization Shared Dashboard IP filter.

    • Introducing organization query ownership, permission tokens and organization level security policies features.

      For more information, see Organization Owned Queries, Repository & View Permissions, Security Policies.

  • UI Changes

    • Organization and system level permissions can now be handled through the UI.

  • Automation and Alerts

    • More attributes have been added to Filter alerts:

      • Filter alerts will now be able to catch up with up to 24 hours of delay (ingest delays + delays in actions).

      • Filter alerts will now trigger on events that are unavailable for up to 10 minutes due to query warnings.

      For more information, see Filter Alerts.

    • A new Enable/Disable option has been added for Alerts and Scheduled Searches.

      For more information, see Managing Alerts.

  • GraphQL API

    • A GraphQL API has been added to read the current tag groupings on a repository.

      For more information, see repository().

  • Configuration

  • Dashboards and Widgets

    • When clicking Edit in search view on a dashboard widget, the query will now use the live setting of the dashboard. Also, parameter values are carried over.

      For more information, see Managing Widgets.

  • Log Collector

  • Other

    • Tag groupings page is now available under the repository Settings tab to see the tag groupings which are currently in use on a repository.

Bug Fixes

  • Automation and Alerts

    • Filter alerts with a query ending with a comment would not run. This issue has now been fixed.

  • Dashboards and Widgets

    • The rendering of JSON in the Event List widget is now faster and consumes less memory.

    • When using the sort() function with the Bar Chart widget, it would only stay sorted for a while. The issue has been fixed and it now remains sorted in the same order as the underlying data.

  • Other

    • A 500 status code was issued when ingesting to /api/v1/ingest/json with no assigned parser. It now ingests the rawstring.