Falcon LogScale 1.220.0 GA (2025-12-23)

Version?Type?Release Date?Availability?End of SupportSecurity UpdatesUpgrades From?Downgrades To?Config. Changes?
1.220.0GA2025-12-23

Cloud

Next LTSNo1.150.01.177.0No

Available for download two days after release.

Hide file download links

Show file download links

Bug fixes and updates

Advance Warning

The following items are due to change in a future release.

  • Security

    • Starting from LogScale version 1.237, support for insecure ldap connections will be removed. Self-Hosted customers using LDAP will only be able to use ldaps secure connections.

  • Queries

    • Due to various upcoming changes to LogScale and the recently introduced regex engine, the following regex features will be removed in version 1.225:

      • Octal notation

      • Quantification of unquantifiable constructs

      Octal notation is being removed due to logic application difficulties and its tendency to make typographical errors easier to overlook.

      Here is an example of a common octal notation issue:

      regex
      /10\.26.\122\.128/

      In this example, \122 is interpreted as the octal escape for R rather than the intended literal 122. Similarly, the . matches not just the punctuation itself but also any single character except for new lines.

      Any construction of \x where x is a number from 1 to 9 will always be interpreted as a backreference to a capture group. If the correponding capture group does not exist, it will be an error.

      Quantification of unquantifiable constructs is being removed due to lack of appropriate semantic logic, leading to redundancy and errors.

      Unquantifiable constructs being removed include:

      • ^ (the start of string/start of line)

      • $ (the end of string/end of line)

      • ?= (a positive lookahead)

      • ?! (a negative lookahead)

      • ?<= (a positive lookbehind)

      • <?<!> (a negative lookbehind)

      • \b (a word boundary)

      • \B (a non-word boundary)

      For example, the end-of-text construct $* only has meaning for a limited number of occurrences. There can never be more than one occurrence of the end of the text at any given position, making elements like $ redundant.

      A common pitfall that causes this warning is when users copy and paste a glob pattern like *abc* in as a regex, but delimit the regex with start of text and end of text anchors:

      regex
      /^*abc*$/

      The proper configuration should look like this:

      regex
      /abc/

      For more information, see LogScale Regular Expression Engine V2.

Removed

Items that have been removed as of this release.

Configuration

  • Removed the NoCurrentsForBucketSegments feature flag. Its functionality is now permanently enabled.

Deprecation

Items that have been deprecated and may be removed in a future release.

  • The EXTRA_KAFKA_CONFIGS_FILE configuration variable has been deprecated and planned to be removed no earlier than version 1.225.0. For more information, see RN Issue.

  • rdns() has been deprecated and will be removed in version 1.249. Use reverseDns() as an alternative function.

  • The Secondary Storage feature is now deprecated and will be removed in LogScale 1.231.0.

    The Bucket Storage feature provides superior functionality for storing rarely queried data in cheaper storage while keeping frequently queried data in hot storage (fast and expensive). For more information, see Bucket Storage.

    Please contact LogScale support for any concerns about this deprecation.

New features and improvements

  • GraphQL API

    • Added the option for end timestamp functionality for per-repository archiving configuration. This filters out segments with start timestamps later than the configured end timestamp.

      A new optional parameter endAtDateTime has been added to the following GraphQL endpoints:

    • Added ability to search for triggers by name using the GraphQL API. The new name argument can be used with filterAlert, aggregateAlert, and scheduledSearch fields in SearchDomain, Repository, or View types.

      Note

      name and id arguments cannot be used simultaneously.

Fixed in this release

  • Security

    • Users who have ManageOrganizations (Cloud) or ManageCluster (Self-Hosted) permissions can now change the Data Retention settings above the repository time limit via the web interface. Previously, changing these settings was possible but only via GraphQL, so this inconsistency has now been fixed.

  • Ingestion

    • Updated parser/v0.3.0 schema to allow empty rawString values in test cases, ensuring consistency between API-created parsers and YAML export functionality. Previously, parser templates created via CRUD APIs with empty rawString values would fail YAML export due to schema validation.

  • Functions

    • Fixed an issue in the match() function where characters with larger lowercase than uppercase UTF-8 representations caused lookup failures.

    • Fixed an issue where prefix values of a certain length could cause an error during the creation of the lookup structure for the match() function.

Known Issues

  • Storage

    • For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (i.e. the storage usage on the primary disk is halfway between PRIMARY_STORAGE_PERCENTAGE and PRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".

      This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.

Improvement

  • Falcon Data Replicator

    • Falcon Data Replicator metrics job now uses an HTTP proxy when FDR_USE_PROXY is enabled.

  • Automation and Triggers

    • Enhanced action logging in humio-activity logs:

      • Successfully triggering actions are now logged in the in humio-activity repository with message Invoking action succeeded.

      • Email actions now include messageId field for SMTP or Postmark emails

      • Future SaaS email actions will use mailstrikeTraceId field

      • Test actions now log a Successfully invoked test action message

  • Storage

    • Aligned the check completed during S3 archiving configuration validation with actual archiving upload behavior, enabling support for buckets using Amazon S3 Object Lock.

  • Configuration

    • Migrated to official Apache Pekko releases from internal fork. Fixed Google Cloud Storage authentication scope placement to ensure proper handling of read/write permissions.

  • Ingestion

    • Improved LogScale's Parser Generator dialog to better handle sample log files:

      • Added clear error messages for log lines exceeding character limits

      • Fixed processing of mixed-size log lines to ensure all valid lines are included

  • Log Collector

    • Implemented disk-based caching for Log Collector artifacts (installers, binaries, scripts) to reduce update server load. The cache automatically manages artifact cleanup based on manifest presence and configurable disk quota limits.

  • Queries

    • Enhanced query performance by implementing hash filter file caching for frequently accessed bucketed segments, even when queries only require hash filter files for search operations.