Latest GA Release
Falcon LogScale 1.244.0 GA (2026-06-09)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Downgrades To? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.244.0 | GA | 2026-06-09 | Cloud | Next LTS | No | 1.177.0 | 1.177.0 | No |
Hide file download links
Download
Use docker pull humio/humio-core:1.244.0 to download the latest version
Bug fixes and updates
Advance Warning
The following items are due to change in a future release.
Installation and Deployment
We are decommissioning the the Nexus server used to host Java-based LogScale installation binaries, with a tentative decommission date of August 14, 2026. To download Java-based LogScale installers, please send a request to logscalesuccess@crowdstrike.com to obtain a username & API token, which are required to download from our new distribution platform.
Deprecation
Items that have been deprecated and may be removed in a future release.
The following manuals have been moved to the archives:
The userId parameter for the updateDashboardToken GraphQL mutation has been deprecated and will be removed in version 1.273.
rdns()has been deprecated and will be removed in version 1.249. UsereverseDns()as an alternative function.
New features and improvements
GraphQL API
Added the new GraphQL endpoint removeFeatureOptInForAllOrgs. This endpoint allows cluster owners to remove feature flag opt-ins at the organization level for all organizations in the cluster for a specific feature flag.
This simplifies cleanup after a feature flag rollout process that involved first enabling the feature flag on a subset of organizations before enabling it globally on the cluster.
API
An endpoint has been added to force a parser to recompile on a given node at
/api/v1/invalidateParser. This endpoint requires theManageClusterpermission.
Fixed in this release
Security
A discrepancy regarding organization name validation has been fixed. Previously, names could contain special characters and HTML tags when creating an organization. However, when updating said organization, stricter validation was applied that disallowed those characters and tags. The validation logic for creating and updating operations has now been properly aligned.
Note
Organization names can still contain the characters
<and>.
GraphQL API
Fixed an issue where saved queries could be created without a name, making them impossible to display in the UI. The
namefield in the GraphQL mutation createSavedQuery is now validated, and will fail when the value is empty or contains invalid characters.
Ingestion
A regression introduced in version 1.237 for parsers has been fixed. Previously, parsers were failing with the error message Parser failed with exception com.humio.jitrex.RegexCancelledException" despite previously operating above the timeout limit.
Fixed an issue where updating lookup files with more than one key column could cause an error that was reported to the user as an internal server error.
Queries
Fixed an issue in the query scheduler where segments were not correctly closed when the feature flag
AllowQuerySchedulerToBailOnSlowChunkswas enabled, leading to occasional query starvation.
Functions
Fixed an issue where a recent feature that introduced the ability to look up files in other views using the syntax
readFile(file://<path>), and to look up files in packages in other views using the syntaxreadFile("file://<otherview>/<scope>/<package>:<filename>")was not implemented for files served externally.
Known Issues
Storage
For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (that is, the storage usage on the primary disk is halfway between
PRIMARY_STORAGE_PERCENTAGEandPRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.
Improvement
Storage
Segment fetches that perform segment merges and archving now each have the same priority as segment fetches for queries. As a result, they are prioritized on a first-come, first-served basis within this priority level.
This change helps avoid starvation of segment merges and archiving processes in cases of slow bucket downloads, or large numbers of segment downloads for queries.
Queries
Segment reading has been optimized for certain scenarios, primarily where events contain a larger number of fields.
Fleet Management
The Fleet Management configuration editor has been upgraded and is now based on the extensible code editor CodeMirror. This improves page loading times across LogScale and NG-SIEM, and includes the following improvements:
Ingest tokens are hidden in the editor until actively selected.
Visual warnings are displayed for unused sinks.
Note
Auto-completion with all required fields automatically added is currently not available in the new editor.
Metrics and Monitoring
Three new utilization percentage fields have been added to the same logs that record queryCostPerMs:
queryUtilizationPercentage - approximates CPU time spent on the query as a percentage of worker capacity.
userUtilizationPercentage - approximates CPU time spent on the user's queries as a percentage of worker capacity.
orgUtilizationPercentage - approximates CPU time spent on the organization's queries as a percentage of worker capacity.
These fields approximate how much CPU time is being spent within the time interval denoted by the corresponding queryCurrentTimespanMs, userCurrentTimespanMs, and orgCurrentTimespanMs fields. As the boundaries of this interval are approximate, it is possible for the utilization percentage to exceed 100%.
New logging fields have been added to make it easier to determine how much cost per millisecond a query is accumulating, as well as how much cost per millisecond the associated user and organization are accumulating across all their queries.
The new fields are logged on query workers and measure cost per millisecond for the query, user, and organization respectively:
queryCostPerMs - cost per millisecond for the query.
userCostPerMs - cost per millisecond for the user across all their queries.
orgCostPerMs - cost per millisecond for the organization across all their queries.
The time interval covered by each measurement is denoted by the queryCurrentTimespanMs, userCurrentTimespanMs, and orgCurrentTimespanMs fields. The interval can be controlled using the new
QuerySchedulerCostMetricsLoggingIntervalSecondsdynamic configuration parameter, which defaults to 30 seconds.These fields are logged periodically when a measurement interval ends while a query is running, and are also included in the "Query Ended" logs produced by the worker.
Functions
Two improvements previously gated by cluster version for the
correlate()function are now enabled by default, including for multi-cluster search scenarios where the minimum version is unknown:The time bucket boundary off-by-one millisecond fix, previously applied only when all nodes in the cluster were running at least version 1.238.
Selective scanning, previously used only when all nodes in the cluster were running at least version 1.239.
Recent Package Updates
The following LogScale packages have been updated within the last month.
Package Changes
juniper/srx has been updated to v1.5.4.
Fixed timestamp parsing format for single-digit day values in BSD syslog format to handle optional space padding
Updated parser version to 3.0.3
For more information, see Package juniper/srx Release Notes.
fortinet/fortigate has been updated to v2.4.0.
Added FortiSwitch device detection based on devname prefix (FSW)
Added FortiSwitch-specific event subtypes: link, poe, spanning_tree, switch, switch_controller
Added FortiSwitch-specific field mappings for MAC address learned on switch port
Standardized event.module to "fortigate", observer.type to "firewall", and observer.product to "fortigate"
Updated parser version to 5.3.0
For more information, see Package fortinet/fortigate Release Notes.
fortinet/fortigate has been updated to v2.3.4.
Enhanced CEF parsing to handle optional angle brackets in syslog priority field
Improved Vendor.type assignment logic for numeric cat values to use subtype instead
Added catch-all case to prevent field dropping in event categorization
Enhanced wireless event categorization with dedicated network connection handling
Added comprehensive wireless action outcome mapping for success/failure determination
Improved observer.serial_number field mapping to include Vendor.sn field
Added message field mapping from Vendor.msg for all events
Moved message field assignment outside of alert-specific logic for broader coverage
Updated parser version to 5.2.0 and ECS version to 9.3.0
For more information, see Package fortinet/fortigate Release Notes.
cisco/ios has been updated to v1.10.0.
Added new regex pattern to handle logs with sequence numbers and timestamps in format: <priority>message_count: sequence: timestamp: %facility-severity-eventcode: message
Added support for multiline message fragments that start with multiple spaces and lack proper IOS facility headers
Enhanced timezone handling to respect data connector timezone selection over parser-defined timezone mappings
Fixed IST timezone timestamp parsing to support optional milliseconds format
Improved LOGOUT event parsing to handle optional source address in parentheses
Updated parser version to 2.10.0
For more information, see Package cisco/ios Release Notes.
juniper/srx has been updated to v1.5.3.
Fixed timestamp parsing format for single-digit day values in BSD syslog format
Updated parser version to 3.0.2
Updated CPS version to 1.2.0
For more information, see Package juniper/srx Release Notes.
f5networks/bigip has been updated to v3.1.1.
Updated ECS version to 9.3.0 and Parser version to 4.0.1
Enhanced HTTP request parsing for ASM events with improved regex extraction for request content
Fixed HTTP request body content extraction to properly parse content portion from request data
Added HTTP request MIME type field mapping from Content-Type header
Corrected HTTP request referrer field mapping to use proper vendor field
Improved authentication failure parsing with more specific regex pattern for user extraction
Fixed indentation and formatting issues in audit event processing section
For more information, see Package f5networks/bigip Release Notes.