Falcon LogScale 1.223.0 GA (2026-01-13)

Version?Type?Release Date?Availability?End of SupportSecurity UpdatesUpgrades From?Downgrades To?Config. Changes?
1.223.0GA2026-01-13

Cloud

Next LTSNo1.150.01.177.0No

Available for download two days after release.

Hide file download links

Show file download links

Bug fixes and updates

Advance Warning

The following items are due to change in a future release.

  • Security

    • Starting from LogScale version 1.237, support for insecure ldap connections will be removed. Self-Hosted customers using LDAP will only be able to use ldaps secure connections.

  • Queries

    • Due to various upcoming changes to LogScale and the recently introduced regex engine, the following regex features will be removed in version 1.225:

      • Octal notation

      • Quantification of unquantifiable constructs

      Octal notation is being removed due to logic application difficulties and its tendency to make typographical errors easier to overlook.

      Here is an example of a common octal notation issue:

      regex
      /10\.26.\122\.128/

      In this example, \122 is interpreted as the octal escape for R rather than the intended literal 122. Similarly, the . matches not just the punctuation itself but also any single character except for new lines.

      Any construction of \x where x is a number from 1 to 9 will always be interpreted as a backreference to a capture group. If the correponding capture group does not exist, it will be an error.

      Quantification of unquantifiable constructs is being removed due to lack of appropriate semantic logic, leading to redundancy and errors.

      Unquantifiable constructs being removed include:

      • ^ (the start of string/start of line)

      • $ (the end of string/end of line)

      • ?= (a positive lookahead)

      • ?! (a negative lookahead)

      • ?<= (a positive lookbehind)

      • <?<!> (a negative lookbehind)

      • \b (a word boundary)

      • \B (a non-word boundary)

      For example, the end-of-text construct $* only has meaning for a limited number of occurrences. There can never be more than one occurrence of the end of the text at any given position, making elements like $ redundant.

      A common pitfall that causes this warning is when users copy and paste a glob pattern like *abc* in as a regex, but delimit the regex with start of text and end of text anchors:

      regex
      /^*abc*$/

      The proper configuration should look like this:

      regex
      /abc/

      For more information, see LogScale Regular Expression Engine V2.

Deprecation

Items that have been deprecated and may be removed in a future release.

  • The EXTRA_KAFKA_CONFIGS_FILE configuration variable has been deprecated and planned to be removed no earlier than version 1.225.0. For more information, see RN Issue.

  • rdns() has been deprecated and will be removed in version 1.249. Use reverseDns() as an alternative function.

  • The Secondary Storage feature is now deprecated and will be removed in LogScale 1.231.0.

    The Bucket Storage feature provides superior functionality for storing rarely queried data in cheaper storage while keeping frequently queried data in hot storage (fast and expensive). For more information, see Bucket Storage.

    Please contact LogScale support for any concerns about this deprecation.

New features and improvements

  • Security

    • Added the dynamic configuration parameter DisableAssetSharing to control whether users have the capability to share assets like dashboards, saved searches, reports, etc. with other users via direct permission assignments. When set to true, only users with changeUserAccess permission can assign direct asset permissions.

      Asset sharing is enabled by default. Administrators can disable it cluster-wide using the dynamic configuration DisableAssetSharing via the GraphQL API.

Fixed in this release

  • User Interface

    • Fixed an issue with the parser duplication dialog in the UI that incorrectly displayed a repository selector. When duplicating a parser, users can now only duplicate within the same repository, matching the API's actual behavior.

      Note

      The repository selector continues to work as expected for other asset types like saved queries, dashboards, and actions.

  • Automation and Triggers

    • Fixed a rare issue where a trigger deletion could be incorrectly logged as a broken trigger.

  • Storage

    • Fixed an issue where disk clean-up would leak aux/hash files on disk when only the aux/hash files were present and not the segment files themselves. This only affects systems where the KeepSegmentHashFiles feature flag has been enabled.

  • Configuration

    • Fixed an issue where LogScale would reuse existing Kafka bootstrap servers when tracking brokers, even when Kafka clients were not allowed to rebootstrap. This could prevent Kafka clients from reaching the correct Kafka cluster. For reference, rebootstrapping solves a common issue that occurs when the connection is lost to all Kafka brokers known to the user based on the most recent metadata request.

      For example, if a user has "Kafka Broker 1" and "Kafka Broker 2" running and attempts to turn on "Kafka Broker 3" and "Kafka Broker 4" while turning off "Kafka Broker 1" and "Kafka Broker 2" at the same time, a non-rebootstrapping user would lose connection to Kafka because only "Kafka Broker 1" and "Kafka Broker 2" are known to it.

      With rebootstrapping enabled, users are able to retry all initial bootstrap servers. If any server is live, the client will not lose connection.

      Kafka clients in LogScale are allowed to rebootstrap by setting the environment variable KAFKA_COMMON_METADATA_RECOVERY_STRATEGY to none.

      Disabling rebootstrapping is generally not recommended. However, it may be necessary if any bootstrap servers that have been specified in KAFKA_SERVERS have a possibility of resolving to a Kafka broker in any cluster other than the original cluster.

      For more information, see the Apache documentation: KIP-899: Allow producer and consumer clients to rebootstrap

  • Queries

    • Fixed an issue where an error surfacing during subquery result calculation, such as within join() or defineTable(), would not be visible to the user.

    • Fixed an issue where query results could be incorrectly reused from cache for static queries. Only queries using @ingesttimestamp in conjunction with start() and/or end() functions were affected.

Known Issues

  • Storage

    • For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (i.e. the storage usage on the primary disk is halfway between PRIMARY_STORAGE_PERCENTAGE and PRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".

      This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.

Improvement

  • User Interface

    • Restored quick-access query links from the Parsers overview. Users can now access context menu actions to directly navigate to the Search page querying parser events and errors. Options are now as follows:

      • Query parsed events - Quickly view all events parsed by a specific parser

      • Query parser errors - Instantly see parsing errors for troubleshooting

      For more information, see Manage Parsers.

  • Configuration

    • Added validation checks for the configuration variable NODE_ROLES to ensure that they are set only to allowed values (all, httponly, and ingestonly). Invalid node role configurations now prevent LogScale from starting and notify users with an exception error message.

      For more information, see NODE_ROLES.

  • Queries

    • Improved caching of query states to allow partial reuse of query results when querying by event time, improving query performance while reducing query costs.