Falcon LogScale 1.175.0 GA (2025-02-11)

Version?Type?Release Date?Availability?End of SupportSecurity UpdatesUpgrades From?Downgrades To?Config. Changes?
1.175.0GA2025-02-11

Cloud

2026-03-31No1.150.01.157.0No

Hide file download links

Show file download links

Bug fixes and updates.

Deprecation

Items that have been deprecated and may be removed in a future release.

  • The color field on the Role type has been marked as deprecated (will be removed in version 1.195).

  • The storage task of the GraphQL NodeTaskEnum is deprecated and scheduled to be removed in version 1.189. This affects the following items:

  • LogScale is deprecating free-text searches that occur after the first aggregate function in a query. These searches likely did not and will not work as expected. Starting with version 1.190.0, this functionality will no longer be available. A free-text search after the first aggregate function refers to any text filter that is not specific to a field and appears after the query's first aggregate function. For example, this syntax is deprecated:

    logscale Syntax
    "Lorem ipsum dolor"
| tail(200)
| "sit amet, consectetur"

    Some uses of the wildcard() function, particularly those that do not specify a field argument are also free-text-searches and therefore are deprecated as well. Regex literals that are not particular to a field, for example /(abra|kadabra)/ are also free-text-searches and are thus also deprecated after the first aggregate function.

    To work around this issue, you can:

    • Move the free-text search in front of the first aggregate function.

    • Search specifically in the @rawstring field.

    If you know the field that contains the value you're searching for, it's best to search that particular field. The field may have been added by either the log shipper or the parser, and the information might not appear in the @rawstring field.

    Free-text searches before the first aggregate function continue to work as expected since they are not deprecated. Field-specific text searches work as expected as well: for example, myField=/(abra|kadabra)/ continue to work also after the first aggregate function.

  • The use of the event functions eventInternals(), eventFieldCount(), and eventSize() after the first aggregate function is deprecated. For example:

    Invalid Example for Demonstration - DO NOT USE
    logscale
    eventSize() 
| tail(200) 
| eventInternals()

    Usage of these functions after the first aggregate function is deprecated because they work on the original events, which are not available after the first aggregate function.

    Using these functions after the first aggregate function will be made unavailable in version 1.190.0 and onwards.

    These functions will continue to work before the first aggregate function, for example:

    logscale
    eventSize() 
| tail(200)

  • The lastScheduledSearch field from the ScheduledSearch datatype is now deprecated and planned for removal in LogScale version 1.202. The new lastExecuted and lastTriggered fields have been added to the ScheduledSearch datatype to replace lastScheduledSearch.

  • The EXTRA_KAFKA_CONFIGS_FILE configuration variable has been deprecated and planned to be removed no earlier than version 1.225.0. For more information, see RN Issue.

New features and improvements

  • Security

  • User Interface

    • The query editor warnings are now also displayed as runtime warnings. As a result, new warnings for some queries might be displayed. For example, queries that use experimental features will now show warnings. These warnings may trigger notifications for alerts and scheduled searches that use features with associated warnings. However, these queries should continue to run normally. Other hints and information in the query editor remain unchanged.

    • A new IOC Lookup field interaction is now available for IP fields (for example, ip_address). Invoking this interaction will generate a new query by calling the ioc:lookup() query function. The new query will use the name of the selected IP field as the field argument for the function. For example:

      logscale Syntax
      ioc:lookup(field=[actor.ip], type="ip_address", confidenceThreshold="unverified", strict=true)

      For more information, see Field Interactions.

  • GraphQL API

    • The s3ResetArchiving() GraphQL mutation now supports resetting cluster wide archiving on a repository through a new archivalKind field.

  • Functions

    • The new query functions array:exists() and objectArray:exists() are now available. They are both used to filter events based on whether the given array contains an element that satisfies a given condition.

      For performance reasons, LogScale recommends using array:exists(), but it can be used for flat arrays only (not for nested arrays). For nested arrays (for example JSON structures), use objectArray:exists() instead.

      Both functions offer more flexibility compared to array:contains() in cases where, for example, you need to compare array elements with values from other fields.

Fixed in this release

  • Storage

    • An issue related to undersized-merging of existing segments has been fixed. Previously, this process could create segments spanning up to 15 days, even in repositories with shorter retention periods (such as 30 days). Now, the merging process adheres to the UndersizedMergingRetentionPercentage dynamic configuration. For example, in a repository with a 30-day retention period, the maximum span for undersized-merging output is now 6 days.

    • A bug that was introduced in version 1.173.0 has been fixed. This bug could cause a node to crash when hash filter files were deleted during digest processing.

  • Queries

    • An internal file verification job might not start correctly, which in turn may block digest. This issue has now been fixed.

Recent Package Updates

The following LogScale packages have been updated within the last month.