Falcon LogScale 1.207.0 GA (2025-09-23)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Downgrades To? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.207.0 | GA | 2025-09-23 | Cloud | 2026-10-31 | No | 1.150.0 | 1.177.0 | No |
Hide file download links
Download
Use docker pull humio/humio-core:1.207.0 to download the latest version
Bug fixes and updates
Advance Warning
The following items are due to change in a future release.
Automation and Triggers
From version 1.219.0, LogScale will enforce a new limit of at most 10 actions per trigger (alert or scheduled search). Any existing trigger violating the limit will continue to run, but if you edit the trigger, you will be forced to restrict the number of actions to 10.
Removed
Items that have been removed as of this release.
GraphQL API
Removed the deprecated GraphQL field isValidFilterAlertQuery on the type
queryAnalysisreturned from the queryAnalysis GraphQL query.
Deprecation
Items that have been deprecated and may be removed in a future release.
The
EXTRA_KAFKA_CONFIGS_FILEconfiguration variable has been deprecated and planned to be removed no earlier than version 1.225.0. For more information, see RN Issue.
rdns()has been deprecated and will be removed in version 1.249. UsereverseDns()as an alternative function.
Behavior Changes
Scripts or environment which make use of these tools should be checked and updated for the new configuration:
Dashboards and Widgets
Event List's format column controls and field interactions that might alter the visualization or the query behind it have now been made inaccessible on dashboards.
Metrics and Monitoring
Metrics backed by exponential decay will now clear values if no new metrics arrive within 5 minutes (the bias period of the weighted metrics) rather than showing the same value until new data arrives.
New features and improvements
Configuration
Added endpoint override for the secret manager integration used for Azure ingest:
For the secret manager client, endpoint is configured with:
SECRET_MANAGER_CLIENT_HOST_ENDPOINT_OVERRIDE,SECRET_MANAGER_CLIENT_PORT_ENDPOINT_OVERRIDE, andSECRET_MANAGER_CLIENT_PROTOCOL_ENDPOINT_OVERRIDEfor the sts client, endpoint is configured with:
SECRET_MANAGER_STS_HOST_ENDPOINT_OVERRIDE,SECRET_MANAGER_STS_PORT_ENDPOINT_OVERRIDE, andSECRET_MANAGER_STS_PROTOCOL_ENDPOINT_OVERRIDE
Dashboards and Widgets
The
Time Chart,Bar Chart,Pie Chart,Scatter Chart, andSankeywidgets now support multiple color palettes for differentiating between series.
Metrics and Monitoring
Added a new gauge metric
build_infowith a label named version containing the full build version. Value is a constant of 1.
Functions
Introduced a new function
text:substring()that can extract a substring of a string based on the supplied indices.Introduced a new function
text:positionOf(), which finds the position of a given character or substring within a string. Useful in conjunction withtext:substring().Added a new function
text:length(), which calculates the length of a string. Useful in conjunction withtext:substring().Added a
timezoneFieldparameter toparseTimestamp(). This allows you to provide a dynamic default timezone for when the event's timestamps do not contain a timezone. You do this by specifying a field that contains the default timezone. This allows for the same parser to be used in contexts that do not share the same static default timezone, for instance when parsing events from different log sources.Additionally, a deprecation warning has been added for the use of the
timezoneparameter, as the behavior will change in the future to act as default timezone instead of an override value. That is, it will no longer overwrite what is parsed from the event's timestamp.
Fixed in this release
User Interface
The Parameters top panel could be open as default even though it did not contain any parameters. This wrong behavior has now been fixed.
Storage
The Storage Architecture was unable to copy files larger than 2GB, due to file corruption in transit, which caused the storage to leave such files on the primary storage device only. This issue has now been fixed.
Queries
Fixed the computation of digest flow information returned as part of query metadata. This information indicates which ingest timestamps are reliably included in the search result.
The changes primarily affect historic queries where the digest information is now fixed at query submission time, whereas previously it kept being updated on each poll. This was incorrect because the set of events for the query is fixed on submission time.
For consumers, the main effect is that the returned values are now generally going to be further in the past than previously.
For live queries, the fixes relate to races between computation of results and computation of digest flow info. To address this digest flow info is now slightly more conservative than before.
When searching by ingest timestamp with interval (
start,end), events with ingest timestamp equal toendwould sometimes be incorrectly included. This wrong behavior has now been fixed.
Fleet Management
The organization permission
ViewFleetManagementin Fleet management was not enough to see relevant pages. This issue has now been fixed.
Functions
Fixed rare cases where queries using
correlate()would appear to stall after the first iteration.
Known Issues
Storage
For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (that is, the storage usage on the primary disk is halfway between
PRIMARY_STORAGE_PERCENTAGEandPRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.
Recent Package Updates
The following LogScale packages have been updated within the last month.
Package Changes
zscaler/internet-access has been updated to v1.5.1.
Enhanced user email field handling to only set user.email when a valid email format is detected
Improved MD5 hash field processing for file.hash.md5
Fixed conditional logic for user field extraction across all dataset types
Updated parser version to 2.5.1
For more information, see Package zscaler/internet-access Release Notes.
okta/sso has been updated to v1.4.2.
Enhanced timestamp parsing to handle events without published timestamp field
Improved target array parsing with better regex matching for JSON structure
Fixed handling of error message events that lack timestamp information
Updated parser version to 2.4.2
For more information, see Package okta/sso Release Notes.
okta/sso has been updated to v1.4.4.
Enhanced actor type handling with conditional logic for IP addresses and Event Hooks
Fixed client.user.full_name field mapping to handle different actor types appropriately
For more information, see Package okta/sso Release Notes.
zscaler/internet-access has been updated to v1.5.0.
Added support for multi-event processing with event.original.hash.sha256 field for bulk events
Updated parser to preserve event.original field for the first event in multi-event logs
Enhanced event processing logic to handle concatenated JSON events more efficiently
Updated parser version to 2.5.0
For more information, see Package zscaler/internet-access Release Notes.
cisco/firepower has been updated to v1.7.2.
Updated parser version to 3.3.2
Enhanced regex pattern for event code 106015 to better capture flags field with multiple values
For more information, see Package cisco/firepower Release Notes.
checkpoint/ngfw has been updated to v2.3.1.
Fixed regex pattern for numerical action values to prevent backtracking issues
Updated parser version to 3.3.1
For more information, see Package checkpoint/ngfw Release Notes.
okta/sso has been updated to v1.4.3.
Enhanced target array parsing with improved regex pattern to handle whitespace variations in JSON structure
Fixed parsing of target arrays with flexible spacing between "target" field and array brackets
For more information, see Package okta/sso Release Notes.
checkpoint/ngfw has been updated to v2.3.0.
Enhanced observer name extraction from originsicname field using regex pattern
Improved source field handling for email addresses and IP addresses in 'from' field
Added service.id and service.name field mappings with protocol detection
Enhanced network protocol detection based on service identifiers
Updated parser version to 3.3.0 and CPS version to 1.1.0
For more information, see Package checkpoint/ngfw Release Notes.
cisco/ise has been updated to v1.4.0.
Added support for CISE_TACACS_Accounting events (codes 3300, 3301, 3302)
Added comprehensive TACACS+ diagnostics parsing for CISE_TACACS_Diagnostics category
Enhanced event categorization for TACACS+ authentication, authorization, and accounting events
Added support for TACACS+ network access control and user management events
Updated parser version to 2.1.0
For more information, see Package cisco/ise Release Notes.
aws/guardduty has been updated to v1.2.1.
Updated severity threshold logic to use >= instead of > for more accurate alert classification
Fixed severity mapping to properly categorize findings at exact threshold values (9.0, 7.0, 4.0)
Updated parser version to 1.3.1
For more information, see Package aws/guardduty Release Notes.