Falcon LogScale 1.197.0 GA (2025-07-15)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Downgrades To? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.197.0 | GA | 2025-07-15 | Cloud | Next LTS | No | 1.150.0 | 1.177.0 | No |
Available for download two days after release.
Hide file download links
Download
Use docker pull humio/humio-core:1.197.0 to download the latest version
Deprecation
Items that have been deprecated and may be removed in a future release.
AUTOSHARDING_MAXconfiguration variable is now being deprecated and will be removed in version 1.207.The
lastScheduledSearchfield from theScheduledSearchdatatype is now deprecated and planned for removal in LogScale version 1.202. The newlastExecutedandlastTriggeredfields have been added to theScheduledSearchdatatype to replacelastScheduledSearch.The
EXTRA_KAFKA_CONFIGS_FILEconfiguration variable has been deprecated and planned to be removed no earlier than version 1.225.0. For more information, see RN Issue.
rdns()has been deprecated and will be removed in version 1.249. UsereverseDns()as an alternative function.
Behavior Changes
Scripts or environment which make use of these tools should be checked and updated for the new configuration:
Installation and Deployment
The Docker image base has been changed from Alpine to Wolfi OS. Main impact:
Most users won't notice any difference
Shell users (shell used manually inside the container ) may notice different available binaries
apk package manager has been removed, as no longer needed in these images
Users still needing apk should contact Support.
Method used in previous releses:
ARM64 version of LogScale as a special tag (for example,
1.195.0--arm64).New method:
Single-tag Docker image index covering both ARM and x86
- Format example for both ARM and x86 users:
1.195.0(plain tag).Users now get the appropriate architecture image automatically with the plain tag.
Users currently using for example
1.195.0--arm64tag should switch to the plain tag.Queries
Aggregate streaming queries are now terminated if the originating HTTP request is closed.
New features and improvements
User Interface
Added a new functionality to the
Parserspage for importing test cases from log files (limited to 30):A new button has been added with two import modes:
Appendmode to add new test cases to existing ones, andOverwritemode to replace existing test cases with newly imported ones.The button in the header has been replaced by a trash can button next to each test case that appears when hovering over or clicking on the test case.
For more information, see Import Test Cases.
GraphQL API
Added three endpoints to enable transfer of segments and uploaded files to its organizations current bucket:
addOrganizationForBucketTransfer tells LogScale to start moving segments and uploaded files under the organization.
removeOrganizationForBucketTransfer tells LogScale to stop an ongoing transfer.
getStatusOrganizationForBucketTransfer asks whether a transfer is ongoing for this organization.
trueif the transfer is ongoing,falseotherwise.
Functions
The
correlate()function now supports using saved queries in subqueries.
Fixed in this release
Storage
In some cases a digester node would not get partitions assigned while coming back online after a planned restart. This issue has now been fixed.
Queries
Fixed an issue where queries using personal user tokens weren't audit logged with the correct actor type.
Fixed an issue where streaming queries would sometimes fail to start and would terminate abruptly if planning the query was slow. In such cases a lock could also be leaked, which would prevent future streaming queries for that view from starting.
Functions
The
correlate()function would fail to find - or find incorrect - constellations of events when link operators referenced modified fields. The link operator would always look for the field on the original, unmodified event, thereby missing any events added in the query.For example, this query:
logscalecorrelate( A: { static_email := "foo@bar.com" }, B: { email<=>A.static_email } )would previously fail to find events that satisfy the constraints because the field static_email was not present on the original event. The issue has been fixed so that such a query now correctly finds the events.
Improvement
User Interface
When running a
correlate()query, a named events tab will now appear for each sub-query of the correlate function, instead of a single events tab for the entire query.
API
Added queryId field to audit logs when starting queries. For queries started via
queryjobs, this contains the ID of the job that is returned to the client. For streaming queries, the ID is the internal query ID that is returned in the header of the response.