Falcon LogScale 1.224.0 GA (2026-01-20)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Downgrades To? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.224.0 | GA | 2026-01-20 | Cloud | Next LTS | No | 1.150.0 | 1.177.0 | No |
Available for download two days after release.
Hide file download links
Download
Use docker pull humio/humio-core:1.224.0 to download the latest version
Bug fixes and updates
Advance Warning
The following items are due to change in a future release.
Security
Starting from LogScale version 1.237, support for insecure
ldapconnections will be removed. Self-Hosted customers using LDAP will only be able to useldapssecure connections.Queries
Due to various upcoming changes to LogScale and the recently introduced regex engine, the following regex features will be removed in version 1.225:
Octal notation
Quantification of unquantifiable constructs
Octal notation is being removed due to logic application difficulties and its tendency to make typographical errors easier to overlook.
Here is an example of a common octal notation issue:
regex/10\.26.\122\.128/In this example,
\122is interpreted as the octal escape forRrather than the intended literal122. Similarly, the.matches not just the punctuation itself but also any single character except for new lines.Any construction of
\xwherexis a number from 1 to 9 will always be interpreted as a backreference to a capture group. If the correponding capture group does not exist, it will be an error.Quantification of unquantifiable constructs is being removed due to lack of appropriate semantic logic, leading to redundancy and errors.
Unquantifiable constructs being removed include:
^(the start of string/start of line)
$(the end of string/end of line)
?=(a positive lookahead)
?!(a negative lookahead)?<= (a positive lookbehind)
<?<!> (a negative lookbehind)
\b(a word boundary)
\B(a non-word boundary)For example, the end-of-text construct
$*only has meaning for a limited number of occurrences. There can never be more than one occurrence of the end of the text at any given position, making elements like$redundant.A common pitfall that causes this warning is when users copy and paste a glob pattern like
*abc*in as a regex, but delimit the regex with start of text and end of text anchors:regex/^*abc*$/The proper configuration should look like this:
regex/abc/For more information, see LogScale Regular Expression Engine V2.
Deprecation
Items that have been deprecated and may be removed in a future release.
The
EXTRA_KAFKA_CONFIGS_FILEconfiguration variable has been deprecated and planned to be removed no earlier than version 1.225.0. For more information, see RN Issue.
rdns()has been deprecated and will be removed in version 1.249. UsereverseDns()as an alternative function.The Secondary Storage feature is now deprecated and will be removed in LogScale 1.231.0.
The Bucket Storage feature provides superior functionality for storing rarely queried data in cheaper storage while keeping frequently queried data in hot storage (fast and expensive). For more information, see Bucket Storage.
Please contact LogScale support for any concerns about this deprecation.
New features and improvements
API
Added
tableTypeto the filesUsed field in query results from the QueryJobs API to indicate the type and origination of the table being referenced.
Queries
Added support for
(?P<X>)syntax for named capturing groups in the LogScale Regular Expression Engine V2. This syntax is functionally equivalent to the existing(?<X>)syntax.
Fixed in this release
Automation and Triggers
Fixed an issue with scheduled searches where schedule changes would only be applied to runs after "now". To achieve this, the GraphQL datatype ScheduledSearch has undergone the following changes:
GraphQL fields lastExecuted and lastTriggered have been deprecated.
GraphQL fields timeOfLastExecution and timeOfLastTrigger have been added.
The new fields contain the actual execution time of the query. The deprecated fields contained the end time of the search interval of the last query that was executed or triggered.
Note
The new fields will only have a different value for scheduled searches running on @timestamp where the parameter
searchIntervalOffsetSecondsis set to a value greater than 0.For more information, see ScheduledSearch .
Known Issues
Storage
For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (i.e. the storage usage on the primary disk is halfway between
PRIMARY_STORAGE_PERCENTAGEandPRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.
Improvement
Queries
Function names are no longer reserved words in CrowdStrike Query Language (CQL). As a result, adding new functions will not risk accidentally rendering existing queries invalid. Going forward, a word is only interpreted as a function call if it is immediately followed by a starting parenthesis.
For example, the word
"test"was previously a reserved word and required to be quoted because it also happens to be the name of a function (test()) - it can now be written without quotes.For more information, see Appendix D - Reserved Words.
Fleet Management
Fleet Management now performs a staged rollout of collector version updates within groups to prevent simultaneous updates of all collectors.
Other
The The http server closed the connection unexpectedly message now appears at the informational level instead of the error level, as this is expected behavior if any requests fail to complete quickly during shutdown.