Falcon LogScale 1.189.0 GA (2025-05-20)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Downgrades To? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.189.0 | GA | 2025-05-20 | Cloud | 2026-06-30 | No | 1.150.0 | 1.177.0 | No |
Hide file download links
Download
Use docker pull humio/humio-core:1.189.0 to download the latest version
Bug fixes and updates.
Advance Warning
The following items are due to change in a future release.
Functions
Starting from release 1.195, the query functions
asn()andipLocation()will display an error instead of a warning should an error occur with their external dependency. This change will align their behavior to functions using similar external resources, likematch(),iocLookup(), andcidr().
Removed
Items that have been removed as of this release.
Administration and Management
Removed assigned metrics:
segments-assigned-to-host-as-owner
segment-bytes-assigned-to-host-as-owner
These metrics provided incomplete data, tracking only post-merge segment assignments while excluding rebalancing-related segment movements.
GraphQL API
The following deprecated GraphQL mutations have been removed:
createParser
updateParser
removeParserThe following deprecated GraphQL fields have now been removed on the Parser output datatype:
assetType
sourceCode
tagFields
testData
The deprecated
storagetask of the GraphQL NodeTaskEnum has been removed (deprecated since v1.173.0). For more information, see RN Issue.This removal affects hosts configured with node role
all:
Dynamic configuration to disable segment storage and search is no longer supported
Use existing node eviction mechanism instead for this functionality
getFilterAlertConfig GraphQL field has been removed on HumioMetadata datatype.
Deprecation
Items that have been deprecated and may be removed in a future release.
The Humio-Usage package has been deprecated and scheduled for removal in version 1.189 LTS.
The
colorfield on the Role type has been marked as deprecated (will be removed in version 1.195).LogScale is deprecating free-text searches that occur after the first aggregate function in a query. These searches likely did not and will not work as expected. Starting with version 1.190.0, this functionality will no longer be available. A free-text search after the first aggregate function refers to any text filter that is not specific to a field and appears after the query's first aggregate function. For example, this syntax is deprecated:
logscale Syntax"Lorem ipsum dolor" | tail(200) | "sit amet, consectetur"Some uses of the
wildcard()function, particularly those that do not specify afieldargument are also free-text-searches and therefore are deprecated as well. Regex literals that are not particular to a field, for example/(abra|kadabra)/are also free-text-searches and are thus also deprecated after the first aggregate function.To work around this issue, you can:
Move the free-text search in front of the first aggregate function.
Search specifically in the @rawstring field.
If you know the field that contains the value you're searching for, it's best to search that particular field. The field may have been added by either the log shipper or the parser, and the information might not appear in the @rawstring field.
Free-text searches before the first aggregate function continue to work as expected since they are not deprecated. Field-specific text searches work as expected as well: for example,
myField=/(abra|kadabra)/continue to work also after the first aggregate function.The use of the event functions
eventInternals(),eventFieldCount(), andeventSize()after the first aggregate function is deprecated. For example:Invalid Example for Demonstration - DO NOT USElogscaleeventSize() | tail(200) | eventInternals()Usage of these functions after the first aggregate function is deprecated because they work on the original events, which are not available after the first aggregate function.
Using these functions after the first aggregate function will be made unavailable in version 1.190.0 and onwards.
These functions will continue to work before the first aggregate function, for example:
logscaleeventSize() | tail(200)The
setConsideredAliveUntilandsetConsideredAliveForGraphQL mutations are deprecated and will be removed in 1.195.The
lastScheduledSearchfield from the ScheduledSearch datatype is now deprecated and planned for removal in LogScale version 1.202. The new lastExecuted and lastTriggered fields have been added to the ScheduledSearch datatype to replacelastScheduledSearch.The
EXTRA_KAFKA_CONFIGS_FILEconfiguration variable has been deprecated and planned to be removed no earlier than version 1.225.0. For more information, see RN Issue.
New features and improvements
Ingestion
Added ingest feeds for consuming data from Azure Event Hubs:
Available for Self-Hosted installations only at this time.
Follows the same configuration pattern as AWS ingest feeds
For more information, see Ingest Data from Azure Event Hubs.
Queries
Added LogScale Multi-Cluster Search query handover support:
Enables automatic reconnection and continued polling of downstream remote clusters
Current limitation: local connection handovers are not supported, meaning that:
Progress on local connections will be lost after handover
Queries to local connections will be resubmitted, resulting in a potential temporary loss of progress.
Fixed in this release
Falcon Data Replicator
Fixed an issue where the check for which nodes should run an FDR feed didn't take node capabilities into account, potentially causing less nodes to actually run the feed.
Storage
LogScale no longer attempts to download MaxMind files when there is insufficient disk space.
Fixed a feature flag roll out issue on clusters where individual users or organizations were previously opted into the feature.
Important
Required Action:
If you previously disabled rolled-out features via API, you must reapply these opt-outs
This is necessary due to changes in how opt-outs are represented in Global Database.
An issue has been fixed that could cause unnecessary delays in uploading files to Bucket Storage.
Dashboards and Widgets
The
Time Charttooltip legend could show unsorted values on query result update. This issue has now been fixed so that the list of top scores is now sorted.
Queries
Fixed race condition in LogScale Multi-Cluster Search. Previously, queries initiated simultaneously with a new connection addition to the multi-cluster view could exclude the new connection for the query. This synchronization issue has been resolved.
Recent Package Updates
The following LogScale packages have been updated within the last month.
Package Changes
asimily/iomt has been updated to v1.1.1.
Updated ECS version to 8.17.0
Removed rename() function calls for direct field assignments
Removed deprecated parser asimily-iomt-json
For more information, see Package asimily/iomt Release Notes.
cloudflare/zerotrust has been updated to v1.2.2.
Fixed email attachment parsing by properly dropping temporary arrays
Updated ECS version to 8.17.0
Updated parser version to 2.1.2
For more information, see Package cloudflare/zerotrust Release Notes.
akamai/asec has been updated to v1.1.1.
Updated ECS version from 8.11.0 to 8.17.0
Replaced rename() function with direct assignments for field mappings
Removed deprecated parser asec-json.yaml
For more information, see Package akamai/asec Release Notes.
cisco/duo has been updated to v2.1.1.
Updated field mapping to use direct assignment instead of rename function
Updated ECS version to 8.17.0
Updated parser version to 2.1.1
Updated parser to use array:append for array declaration
For more information, see Package cisco/duo Release Notes.
okta/sso has been updated to v1.3.1.
Fixed source.user.full_name to use client.user.full_name instead of client.user.id
For more information, see Package okta/sso Release Notes.
nozomi/ids has been updated to v1.3.0.
Updated timestamp parsing to support MMM dd yyyy HH:mm:ss format
Added support for new message types including threat intelligence updates, link status changes, and network scans
Enhanced MAC address normalization with uppercase conversion and consistent delimiter formatting
Improved field extraction for domain and username parsing
Fixed lowercase normalization for various address fields
The old parser nozomi-syslog is now officially removed from the Nozomi IDS package
For more information, see Package nozomi/ids Release Notes.
juniper/srx has been updated to v1.3.0.
Updated parser to use ECS 8.17.0
Improved field extraction with format() function
Enhanced array handling with array:append() for event categories and types
Added support for mgd login events with user roles and service type
Fixed field handling for null values
The old parser srx-syslog is now officially removed from the Juniper SRX package
For more information, see Package juniper/srx Release Notes.
aws/vpcflow has been updated to v1.2.1.
Updated field mapping to use direct assignment instead of rename function
Updated ECS version to 8.17.0
Updated parser version to 1.2.1
Updated parser to use array:append for array declaration
For more information, see Package aws/vpcflow Release Notes.
cisco/ios has been updated to v1.5.0.
Improved timestamp parsing for formats including year in different positions
Added support for MAC address extraction and normalization
Enhanced access list log parsing to handle MAC addresses in source fields
Added parsing for CFGLOG_LOGGEDCMD events to capture CLI commands
For more information, see Package cisco/ios Release Notes.
f5networks/bigip has been updated to v2.2.0.
Added support for F5 Advanced Firewall Module (AFM) logs
Improved ASM event categorization for better threat detection
Updated ECS version to 8.17.0
For more information, see Package f5networks/bigip Release Notes.
fortinet/fortimail has been updated to v1.1.1.
Updated field mapping to use direct assignment instead of rename function
Updated ECS version to 8.17.0
Updated parser version to 1.1.1
Updated parser to use array:append for array declaration
Updated client.ip to non-array field
The old parser fortimail is now officially removed from the Fortinet Fortimail package
For more information, see Package fortinet/fortimail Release Notes.
cisco/ios has been updated to v1.5.1.
Removed test cases
For more information, see Package cisco/ios Release Notes.
cisco/meraki has been updated to v1.4.1.
Added support for BSD syslog format with MMM dd HH:mm:ss timestamp format
For more information, see Package cisco/meraki Release Notes.
veeam/veeamdataplatform has been updated to v1.0.1.
Updated field assignments to use direct assignment instead of rename() function
Improved field mapping consistency
For more information, see Package veeam/veeamdataplatform Release Notes.
cisco/ise has been updated to v1.3.1.
Fixed field mapping for service.name instead of service.type
Improved timestamp parsing for additional formats
Enhanced field formatting for fields with hyphens in names
For more information, see Package cisco/ise Release Notes.
aws/cloudtrail has been updated to v1.1.6.
Updated parser version to 2.0.6
Updated CPS version to 1.0.0
Fixed TLS field handling by removing rename function and adding drop operations
For more information, see Package aws/cloudtrail Release Notes.
asimily/iomt has been updated to v1.1.2.
Updated parser version to 1.1.2
Updated parser to use array:append for array declaration
For more information, see Package asimily/iomt Release Notes.
aws/fsx has been updated to v1.1.1.
Updated field mapping to use direct assignment instead of rename function
Updated ECS version to 8.17.0
Updated parser version to 1.1.1
Updated parser to use array:append for array declaration
For more information, see Package aws/fsx Release Notes.
f5networks/bigip has been updated to v2.3.0.
Added support for F5 BIG-IP logs in Splunk format (HTTP traffic, load balancer failures, DNS requests/responses)
Fixed IP address field mapping to correctly populate source.ip, destination.ip, and server.ip fields
Improved timestamp parsing to support additional formats
Enhanced key-value parsing with better handling of empty fields
For more information, see Package f5networks/bigip Release Notes.
aruba/clearpass has been updated to v1.2.3.
Updated field mapping to use format() function instead of rename() for better compatibility
Downgraded CPS version from 2.0.0 to 1.0.0
Removed deprecated clearpass-syslog.yaml parser file
For more information, see Package aruba/clearpass Release Notes.
fortinet/fortigate has been updated to v1.3.3.
Updated event outcome handling to set failure when action is block or blocked
Fixed test cases to match updated outcome logic
For more information, see Package fortinet/fortigate Release Notes.
cisco/ios has been updated to v1.6.0.
Enhanced event type categorization for more accurate event classification
Added support for additional Cisco IOS event codes including SGACLHIT, FAIL, DHCP_SNOOPING_DENY, and more
Improved MAC address normalization for better consistency
Added deduplication of event categories and types
For more information, see Package cisco/ios Release Notes.
infoblox/nios has been updated to v1.3.1.
Fixed an issue with DNS answers containing quotes
For more information, see Package infoblox/nios Release Notes.
zscaler/internet-access has been updated to v1.4.0.
Updated parser to use direct field assignments instead of rename() function
Fixed base64 decoding for URL fields
For more information, see Package zscaler/internet-access Release Notes.