Falcon LogScale 1.201.1 LTS (2025-09-02)

Version?Type?Release Date?Availability?End of SupportSecurity UpdatesUpgrades From?Downgrades To?Config. Changes?
1.201.1LTS2025-09-02

Cloud

On-Prem

2026-09-30Yes1.150.01.177.0No

Hide file download links

Show file download links

Hide file hashes

Show file hashes

These notes include entries from the following previous releases: 1.200.0, 1.199.0, 1.198.0, 1.197.0, 1.196.0

Bug fixes and updates.

Removed

Items that have been removed as of this release.

Storage

  • Removed the ingest request backpressure mechanism introduced in 1.115. This mechanism throttled ingest requests on nodes running digest work while experiencing event latency. The implementation prevented clusters from properly using Kafka as a buffer for event backlogs. Additionaly, it hid the existence of backlogs from administrators by delaying events on shippers rather than in Kafka where they are visible to LogScale.

    Administrators are advised to either:

    • Size nodes to handle temporary ingest rate spikes without falling behind on digest.

    • Run separate ingest and digest nodes to prevent ingest spikes from consuming capacity needed for digest work.

    This change also removes the following dynamic configurations:

Configuration

  • Removed the following deprecated environment variables:

    • JOIN_ENABLED

    • SELFJOIN_ENABLED

    • WINDOW_ENABLED

    • SERIES_ENABLED

Deprecation

Items that have been deprecated and may be removed in a future release.

  • AUTOSHARDING_MAX configuration variable is now being deprecated and will be removed in version 1.207.

  • The lastScheduledSearch field from the ScheduledSearch datatype is now deprecated and planned for removal in LogScale version 1.202. The new lastExecuted and lastTriggered fields have been added to the ScheduledSearch datatype to replace lastScheduledSearch.

  • The EXTRA_KAFKA_CONFIGS_FILE configuration variable has been deprecated and planned to be removed no earlier than version 1.225.0. For more information, see RN Issue.

  • rdns() has been deprecated and will be removed in version 1.249. Use reverseDns() as an alternative function.

Behavior Changes

Scripts or environment which make use of these tools should be checked and updated for the new configuration:

  • Installation and Deployment

    • When using KAFKA_MANAGED_BY_HUMIO=true, LogScale will now crash on boot if it fails to determine whether its topics exist in Kafka via Kafka's admin API. Previously, LogScale would assume the topics didn't exist and attempt to create them, resulting in confusing error messages if the topics actually existed.

    • The Docker image base has been changed from Alpine to Wolfi OS. Main impact:

      • Most users won't notice any difference

      • Shell users (shell used manually inside the container ) may notice different available binaries

      • apk package manager has been removed, as no longer needed in these images

      • Users still needing apk should contact Support.

      Method used in previous releses:

      • ARM64 version of LogScale as a special tag (for example, 1.195.0--arm64).

      New method:

      • Single-tag Docker image index covering both ARM and x86

      • Format example for both ARM and x86 users: 1.195.0 (plain tag).

      • Users now get the appropriate architecture image automatically with the plain tag.

      Users currently using for example 1.195.0--arm64 tag should switch to the plain tag.

  • GraphQL API

    • Setting the MaxRelocatedDatasourcesInGlobal field of the DynamicConfig datatype to 0 or negative value now sets the limit to 0 instead of resetting to the default value. Users wishing to return to the default value should use the API to unset the configuration.

  • Storage

    • AWS Netty client is now the disabled as the default HTTP client for S3 Bucket operation, and now reverts to the existing PekkoHttpClient by setting the default value of S3_NETTY_CLIENT to false. This change addresses performance issues identified when downloading significant amounts of data from the S3 Bucket for queries.

  • Configuration

    • The MAX_DATASOURCES environment variable no longer controls the maximum datasources of system repositories. System repositories now have a default maximum of 50,000 datasources.

  • Ingestion

    • The fields @id and @ingesttimestamp can no longer be set by ingesting them. These fields are set internally by LogScale and LogScale depends upon them not being overwritten. If events are ingested with these fields, the field values are now ignored and a warning is added to the event.

      Before this change, setting the @id field did not work: LogScale would just overwrite this field. Setting the @ingesttimestamp field worked partially; depending on your query, you could see the field value or the actual ingest time of the event.

      The LogScale Repository action will no longer retain the value of the fields @id, @ingesttimestamp, @input_size, @event_parsed, @error, @error_msg and @error_msg[i] for any index i, as these are special fields in LogScale and will be set automatically on the newly ingested events. Instead, the value of these fields from the events sent to the action will be stored in fields named @id.original, @ingesttimestamp.original, @input_size.original, @event_parsed.original, @error.original, @error_msg.original and @error_msg.original[i].

      If you need to restore the previous functionality, that is possible for most of the fields by updating the parser you use to revert these changes. Note, however, that you cannot do this for @id and @ingesttimestamp fields, as LogScale now ignores those fields on ingested events.

    • Ingest-only nodes (ingestonly node role) will no longer be selected as table coordinators.

  • Queries

    • Aggregate streaming queries are now terminated if the originating HTTP request is closed.

  • Packages

    • Custom packages now require a more strict folder structure to ensure consistency and reliability:

      • The manifest.yaml file can be located anywhere in the project, and its location defines the package root.

      • All asset folders (such as parsers, alerts, and actions) must be directly located in the project root.

New features and improvements

  • Installation and Deployment

    • Added the environmental variable HUMIO_OPTS_FS, which can be set to override the field separator used when word-splitting using HUMIO_OPTS in the launcher script. This is useful when the options contain characters in $IFS (such as spaces), which would otherwise be split incorrectly.

      For more information, see LogScale Launcher Script.

  • Administration and Management

    • Added an election system to address hardware failures. A node can be elected using the REST endpoint /api/v1/internal/hardware-failure, marking a node as being elected with a hardware failure for 60 minutes.

      There are three reasons a node can be elected as bad:

      • Slow query: Query coordinators have seen the same node operating up to 100 times slower at query execution than others.

      • Poll connection timeout: Polls have timed out across all nodes in the cluster when trying to query a node.

      • Hardware failure: When hardware has underlying issues such as disk coruption, a node can be elected through the /api/v1/internal/hardware-failure endpoint, and eventually automatically evicted.

      All votes can be tracked through the log line Casting vote because a host is in a bad state. All elections can be tracked through the log line These nodes were deemed bad by the rest of the cluster.

  • User Interface

    • Added a new functionality to the Parsers page for importing test cases from log files (limited to 30):

      • A new Import tests button has been added with two import modes: Append mode to add new test cases to existing ones, and Overwrite mode to replace existing test cases with newly imported ones.

      • The Delete test button in the header has been replaced by a trash can button next to each test case that appears when hovering over or clicking on the test case.

      For more information, see Import Test Cases.

    • Adding Spanish locale to the platform so a cluster can now be initialized with Spanish translations.

    • The following repository/view pages in the LogScale web interface now manage assets in a table layout format:

      • Dashboards — new page layout for listing repository dashboards under the top bar menu item Dashboards.

      • Parsers — new page layout for listing repository parsers under the top bar menu item Parsers.

      • Actions — new page layout for listing repository actions under the top bar menu item Automation.

      • Resources — this is a new web interface page containing the following assets:

        • Files (replaces the former Files top bar menu item; sorting capability not yet available at this time).

        • Interactions — interactions have been moved from the repository Settings menu to this Resources page, with new columns for created/modified metadata (sorting capability not yet available at this time).

        • Saved Searches — a new page for managing saved searches with the table format layout.

      These pages can now support scalable management of large asset volumes with improved search, filter and sort capabilities, making it easier to find the assets you're looking for.

    • Redesigned the experience of managing saved queries on the Search page, by introducing new web interface items:

      • New Searches button next to the widget type selector

      • My recents tab — allows recalling recent queries in an updated page.

      • Saved Searches tab — opens a panel for saved searches with information like descriptions, labels, and last modified.

      • Favorites tab — displays saved queries that users marked as favorites.

      • Action buttons for saved and favorite searches, notably the Add as function button.

      • Updated dialog where you can now add/edit description of the saved search as well as labels.

      For more information, see Save searches.

  • GraphQL API

  • API

    • Added a new field to the query API namedFilterQueries.

      This will contain queries which can be executed to see the events that each subquery in a correlate() function matches on. This field can be used to debug correlate queries.

    • Added new GraphQL API capabilities for searching across different types of LogScale assets:

      • Extended entitiesSearch query endpoint to support sorting and filtering on specific asset properties. Use entitiesPage to navigate the results.

        Specify argument(s) for paths to search in to narrow down search result to e.g. a specific view.

      • New entitiesLabels query endpoint to get all labels across asset types.

        specify argument(s) for paths to search in to narrow down search result to e.g. a specific view.

      • New entitiesPackages query endpoint to get all package details across asset types.

      Added new fields to various asset types including createdInfo, modifiedInfo, and labels.

  • Configuration

  • Functions

    • The correlate() function now supports using saved queries in subqueries.

    • Added text:startsWith() which can be used to test whether a field or string constant contains a specific prefix.

    • Added text:endsWith() which can be used to test whether a field or string constant contains a specific suffix.

    • The new percentage() query function is now available. It allows you to calculate the percentage of events that match a subquery.

      For more information, see percentage().

Fixed in this release

  • Security

  • Automation and Triggers

    • The Schedule configuration for scheduled searches no longer flips to Simple when a cron expression for specific months is specified.

  • Storage

    • In some cases a digester node would not get partitions assigned while coming back online after a planned restart. This issue has now been fixed.

    • Indicators of Compromise (IoC) with more than 127 labels were unable to be stored. This issue has now been fixed.

    • Startup failed if a host contained a deprecated storage task in the global database. This issue has now been fixed.

    • Corrected an issue where datasources migrating to new Kafka partitions during rebalancing carried over offsets from their original partitions, preventing LogScale from determining where to start digest.

      Migrated datasources now start with an offset of -1 and are marked as idle upon creation. This allows LogScale to skip these datasources when determining where to start digest, and will continue to ignore them until receiving a message.

  • Configuration

  • Dashboards and Widgets

    • Fixed an issue with the Look Up Events interaction in the Table widget, which would in certain scenarios result in an invalid query.

  • Ingestion

    • The data-ingester-parser-errors metric has been fixed as it was under-reporting, meaning it was showing fewer parser errors than were actually occurring (the data-ingester-errors metric reported errors as normal, though).

  • Queries

    • In rare cases the query state cache files on disk was not cleaned up properly. This change fixes those cases along with better error handling and logging.

    • Fixed an issue where queries using personal user tokens weren't audit logged with the correct actor type.

    • Fixed an issue where streaming queries would sometimes fail to start and would terminate abruptly if planning the query was slow. In such cases a lock could also be leaked, which would prevent future streaming queries for that view from starting.

    • Fixed an issue where slow queries were unable to search bucketed and replaced non-mini segments, because they were deleted from the bucket earlier than intended.

  • Functions

    • Fixed an issue where reuse of queries would not detect changes to saved queries used inside the defineTable() query function.

    • The correlate() function would fail to find - or find incorrect - constellations of events when link operators referenced modified fields. The link operator would always look for the field on the original, unmodified event, thereby missing any events added in the query.

      For example, this query:

      logscale
      correlate(
  A: { static_email := "foo@bar.com" },
  B: { email <=> A.static_email }
)

      would previously fail to find events that satisfy the constraints because the field static_email was not present on the original event. The issue has been fixed so that such a query now correctly finds the events.

    • The correlate() function has been fixed as conditional statements (such as case / if) with field assignments incorrectly included fields from all branches in the output, rather than only fields from the executed branch.

    • The correlate() function has been fixed due to case statements within the query causing incorrect filter query generation for event tabs. Previously, filter queries extracted all conditions from different case branches, causing event tabs to appear empty even when correlate() found valid constellations. This fix now ensures that filter query generation correctly preserves the case statement structure in event tab filters.

Improvement

  • User Interface

    • When running a correlate() query, a named events tab will now appear for each sub-query of the correlate function, instead of a single events tab for the entire query.

  • GraphQL API

    • Added support for partial time intervals for GraphQL endpoint analyzeQuery(). Default time interval values are now aligned with the query jobs API.

  • Storage

    • Optimized encryption during bucket uploads by reducing the amount of copying.

    • LogScale now validates segment file copies when creating them in secondary storage. This will help prevent file corruption during this type of transfer.

  • API

    • Added queryId field to audit logs when starting queries. For queries started via queryjobs, this contains the ID of the job that is returned to the client. For streaming queries, the ID is the internal query ID that is returned in the header of the response.

  • Queries

    • LogScale request logs no longer contain internal query poll or delete requests on the queryjobs endpoint, unless those requests either fail or take more than 5 seconds.

      To increase visibility into query worker and coordinator communication, the new metrics internal-queryjobs-timing is being added, which tracks the response times for polls on the queryjobs endpoint.

    • LogScale now allows distribution of large query state caches of arbitrary size to followers.

  • Functions

    • The Language Server Protocol (LSP) now provides enhanced code completion for the correlate() function. The LSP now includes contextual suggestions for subquery snippets as well as relevant attribute suggestions based on the query context.