Falcon LogScale 1.188.0 GA (2025-05-13)

Version?Type?Release Date?Availability?End of SupportSecurity UpdatesUpgrades From?Downgrades To?Config. Changes?
1.188.0GA2025-05-13

Cloud

2026-06-30No1.150.01.177.0No

Hide file download links

Show file download links

Bug fixes and updates.

Advance Warning

The following items are due to change in a future release.

  • Functions

    • Starting from release 1.195, the query functions asn() and ipLocation() will display an error instead of a warning should an error occur with their external dependency. This change will align their behavior to functions using similar external resources, like match(), iocLookup(), and cidr().

Deprecation

Items that have been deprecated and may be removed in a future release.

  • The Humio-Usage package has been deprecated and scheduled for removal in version 1.189 LTS.

  • The color field on the Role type has been marked as deprecated (will be removed in version 1.195).

  • The storage task of the GraphQL NodeTaskEnum is deprecated and scheduled to be removed in version 1.189. This affects the following items:

  • LogScale is deprecating free-text searches that occur after the first aggregate function in a query. These searches likely did not and will not work as expected. Starting with version 1.190.0, this functionality will no longer be available. A free-text search after the first aggregate function refers to any text filter that is not specific to a field and appears after the query's first aggregate function. For example, this syntax is deprecated:

    logscale Syntax
    "Lorem ipsum dolor"
| tail(200)
| "sit amet, consectetur"

    Some uses of the wildcard() function, particularly those that do not specify a field argument are also free-text-searches and therefore are deprecated as well. Regex literals that are not particular to a field, for example /(abra|kadabra)/ are also free-text-searches and are thus also deprecated after the first aggregate function.

    To work around this issue, you can:

    • Move the free-text search in front of the first aggregate function.

    • Search specifically in the @rawstring field.

    If you know the field that contains the value you're searching for, it's best to search that particular field. The field may have been added by either the log shipper or the parser, and the information might not appear in the @rawstring field.

    Free-text searches before the first aggregate function continue to work as expected since they are not deprecated. Field-specific text searches work as expected as well: for example, myField=/(abra|kadabra)/ continue to work also after the first aggregate function.

  • The use of the event functions eventInternals(), eventFieldCount(), and eventSize() after the first aggregate function is deprecated. For example:

    Invalid Example for Demonstration - DO NOT USE
    logscale
    eventSize() 
| tail(200) 
| eventInternals()

    Usage of these functions after the first aggregate function is deprecated because they work on the original events, which are not available after the first aggregate function.

    Using these functions after the first aggregate function will be made unavailable in version 1.190.0 and onwards.

    These functions will continue to work before the first aggregate function, for example:

    logscale
    eventSize() 
| tail(200)

  • The setConsideredAliveUntil and setConsideredAliveFor GraphQL mutations are deprecated and will be removed in 1.195.

  • The lastScheduledSearch field from the ScheduledSearch datatype is now deprecated and planned for removal in LogScale version 1.202. The new lastExecuted and lastTriggered fields have been added to the ScheduledSearch datatype to replace lastScheduledSearch.

  • The EXTRA_KAFKA_CONFIGS_FILE configuration variable has been deprecated and planned to be removed no earlier than version 1.225.0. For more information, see RN Issue.

New features and improvements

  • Administration and Management

    • A new internal metric data-ingester-parser-errors is now available in the humio-metrics repository to provide error tracking at parser level. Similar to existing data-ingester-errors, it tracks errors per parser per repository (versus only per repository).

  • User Interface

    • Improved automatic indentation insertion in the Query Editor in bracket contexts. For example:

      logscale Syntax
      groupBy( x, function=[ ] )

      will now auto-indent on newline insertions to:

      logscale Syntax
      groupBy( x, function=[
      ] )

Fixed in this release

  • Administration and Management

    • A 401 Unauthorized authentication error was issued across all views and repositories for all users during file export, despite the token being valid. This issue has been fixed so that the authentication process has now been corrected and the file export functionality now works as expected with valid tokens.

  • User Interface

    • Fixed an issue where clicking Scroll to load more in the top banner of the Event list would not update the view if the event list itself was paused.

  • Configuration

    • Changes to the LookupTableSyncAwaitSeconds dynamic configuration were not reflected until the next server restart. This issue has been fixed so that changes in this configuration's value are now reflected immediately.

  • Queries

    • Fixed an issue where query routing inside the cluster relied on original authentication from the client rather than internal authentication. This could lead to a situation where a user could submit a query, but was unable to then poll it.

    • Fixed a race condition that could occur when states were merged in Query Coordination during the query handover process. This could result in corrupted query state or failed query handover.

    • Fixed an issue where a query might be marked as "cancelled" but not "done" when exceptions occurred during result calculation failures, such as RPC request failures.

  • Other

    • Fixed an issue that could cause globally enabled features to appear to be disabled for individual organizations.

Improvement

  • User Interface

    • It is now possible to resize the Fields panel flyout when selecting a field for inspection.

  • Queries

    • Implemented a change about how queries track segment merging, which should eliminate edge cases where queries miss data due to merges.

Recent Package Updates

The following LogScale packages have been updated within the last month.

  • Package Changes

    • asimily/iomt has been updated to v1.1.1.

      • Updated ECS version to 8.17.0

      • Removed rename() function calls for direct field assignments

      • Removed deprecated parser asimily-iomt-json

      For more information, see Package asimily/iomt Release Notes.

    • cloudflare/zerotrust has been updated to v1.2.2.

      • Fixed email attachment parsing by properly dropping temporary arrays

      • Updated ECS version to 8.17.0

      • Updated parser version to 2.1.2

      For more information, see Package cloudflare/zerotrust Release Notes.

    • akamai/asec has been updated to v1.1.1.

      • Updated ECS version from 8.11.0 to 8.17.0

      • Replaced rename() function with direct assignments for field mappings

      • Removed deprecated parser asec-json.yaml

      For more information, see Package akamai/asec Release Notes.

    • microsoft/windows-dns-debug has been updated to v1.3.1.

      • Improved regex patterns for timestamp parsing

      • Added support for error messages with socket failures

      • Enhanced field extraction for DNS packet information

      • Fixed array handling for DNS header flags

      • Updated parser version to 2.2.1

      For more information, see Package microsoft/windows-dns-debug Release Notes.

    • okta/sso has been updated to v1.3.1.

      • Fixed source.user.full_name to use client.user.full_name instead of client.user.id

      For more information, see Package okta/sso Release Notes.

    • forcepoint/dlp has been updated to v1.2.0.

      • Added severity mapping based on Forcepoint documentation

      • Improved user domain extraction

      • Enhanced array handling for event categories and types

      • Optimized field cleanup process

      • The old parser dlp-cef is now officially removed from the Forcepoint DLP package

      For more information, see Package forcepoint/dlp Release Notes.

    • nozomi/ids has been updated to v1.3.0.

      • Updated timestamp parsing to support MMM dd yyyy HH:mm:ss format

      • Added support for new message types including threat intelligence updates, link status changes, and network scans

      • Enhanced MAC address normalization with uppercase conversion and consistent delimiter formatting

      • Improved field extraction for domain and username parsing

      • Fixed lowercase normalization for various address fields

      • The old parser nozomi-syslog is now officially removed from the Nozomi IDS package

      For more information, see Package nozomi/ids Release Notes.

    • claroty/ctd has been updated to v1.2.0.

      • Updated ECS version to 8.17.0

      • Improved event categorization using array:append

      • Added event severity mapping

      • Optimized field handling and cleanup

      • The old parser cef-latest is now officially removed from the Claroty CTD package

      For more information, see Package claroty/ctd Release Notes.

    • cisco/ios has been updated to v1.5.0.

      • Improved timestamp parsing for formats including year in different positions

      • Added support for MAC address extraction and normalization

      • Enhanced access list log parsing to handle MAC addresses in source fields

      • Added parsing for CFGLOG_LOGGEDCMD events to capture CLI commands

      For more information, see Package cisco/ios Release Notes.

    • f5networks/bigip has been updated to v2.2.0.

      • Added support for F5 Advanced Firewall Module (AFM) logs

      • Improved ASM event categorization for better threat detection

      • Updated ECS version to 8.17.0

      For more information, see Package f5networks/bigip Release Notes.

    • cisco/ios has been updated to v1.5.1.

      • Removed test cases

      For more information, see Package cisco/ios Release Notes.

    • cisco/meraki has been updated to v1.4.1.

      • Added support for BSD syslog format with MMM dd HH:mm:ss timestamp format

      For more information, see Package cisco/meraki Release Notes.

    • cisco/ise has been updated to v1.3.1.

      • Fixed field mapping for service.name instead of service.type

      • Improved timestamp parsing for additional formats

      • Enhanced field formatting for fields with hyphens in names

      For more information, see Package cisco/ise Release Notes.

    • cisco/firepower has been updated to v1.6.3.

      • Updated field assignment syntax from rename() to direct assignment

      • Fixed regex pattern for teardown connections to handle optional fields

      • Improved lower() function usage for better performance

      For more information, see Package cisco/firepower Release Notes.

    • microsoft/windows-dns-debug has been updated to v1.3.0.

      • Added support for additional log formats

      • Improved handling of DNS debug log header lines

      • Updated ECS version to 8.17.0

      • Enhanced field extraction for DNS packet information

      • Added support for self-referential DNS messages

      • The old parser windows-dns is now officially removed from the Microsoft Windows DNS package

      For more information, see Package microsoft/windows-dns-debug Release Notes.

    • fortinet/fortigate has been updated to v1.3.3.

      • Updated event outcome handling to set failure when action is block or blocked

      • Fixed test cases to match updated outcome logic

      For more information, see Package fortinet/fortigate Release Notes.

    • cisco/ise has been updated to v1.3.0.

      • Sets the event.outcome based on the Vendor.FailureReason field

      • The old parser cisco-ise-syslog is now officially removed from the Cisco Identity Services Engine (ISE) package

      For more information, see Package cisco/ise Release Notes.

    • fortinet/fortigate has been updated to v1.3.2.

      • Updated field assignments to use direct assignment instead of rename function

      • Updated ECS version to 8.17.0

      For more information, see Package fortinet/fortigate Release Notes.

    • cisco/ios has been updated to v1.6.0.

      • Enhanced event type categorization for more accurate event classification

      • Added support for additional Cisco IOS event codes including SGACLHIT, FAIL, DHCP_SNOOPING_DENY, and more

      • Improved MAC address normalization for better consistency

      • Added deduplication of event categories and types

      For more information, see Package cisco/ios Release Notes.

    • infoblox/nios has been updated to v1.3.1.

      • Fixed an issue with DNS answers containing quotes

      For more information, see Package infoblox/nios Release Notes.

    • zscaler/internet-access has been updated to v1.4.0.

      • Updated parser to use direct field assignments instead of rename() function

        Fixed base64 decoding for URL fields

      For more information, see Package zscaler/internet-access Release Notes.