Falcon LogScale 1.230.0 GA (2026-03-03)

Version?Type?Release Date?Availability?End of SupportSecurity UpdatesUpgrades From?Downgrades To?Config. Changes?
1.230.0GA2026-03-03

Cloud

Next LTSNo1.150.01.177.0No

Available for download two days after release.

Hide file download links

Show file download links

Bug fixes and updates

Advance Warning

The following items are due to change in a future release.

  • Security

    • Starting from LogScale version 1.237, support for insecure ldap connections will be removed. Self-Hosted customers using LDAP will only be able to use ldaps secure connections.

Removed

Items that have been removed as of this release.

Storage

  • Cached data files mode, which allowed users to configure a local cache directory for segment files, was deprecated in 1.210.0. It has now been entirely removed from LogScale.

    To ensure users are aware of this feature's removal, nodes that contain the configuration variables CACHE_STORAGE_DIRECTORY, CACHE_STORAGE_PERCENTAGE, and CACHE_STORAGE_SOURCE will now refuse to start.

Deprecation

Items that have been deprecated and may be removed in a future release.

  • Live streaming queries are now deprecated, and support is slated for removal starting in version 1.241.0.

    Note

    Aggregate live streaming queries are already unsupported. This additional deprecation notice only applies to filter-only queries. Static streaming queries are unaffected, as are any queries submitted via the queryjobs API.

  • The userId parameter for the updateDashboardToken GraphQL mutation has been deprecated and will be removed in version 1.273.

  • rdns() has been deprecated and will be removed in version 1.249. Use reverseDns() as an alternative function.

  • The Secondary Storage feature is now deprecated and will be removed in LogScale 1.231.0.

    The Bucket Storage feature provides superior functionality for storing rarely queried data in cheaper storage while keeping frequently queried data in hot storage (fast and expensive). For more information, see Bucket Storage.

    Please contact LogScale support for any concerns about this deprecation.

Behavior Changes

Scripts or environment which make use of these tools should be checked and updated for the new configuration:

  • Automation and Triggers

  • Configuration

    • The way LogScale interprets the environment variable INITIAL_FEATURE_FLAGS has changed.

      This setting allows administrators to define at boot time what features are enabled in LogScale, and allows feature flags to be toggled via GraphQL at runtime. Previously, features appearing in INITIAL_FEATURE_FLAGS would be written into global when the node booted, causing the following unintended behaviors:

      • The settings were written to global at a late point during bootup. This meant that when enabling a flag via INITIAL_FEATURE_FLAGS, there would be a period during bootup where the feature was not enabled.

      • In cases where administrators mistakenly only applied INITIAL_FEATURE_FLAGS to some nodes in the cluster rather than all nodes, those nodes could end up in competitions with one another for what the state in global should be, with the last node to reboot being the final result.

      • If an administrator enabled a feature via INITIAL_FEATURE_FLAGS, and disabled it at runtime via GraphQL, the flag could enable itself again if any node rebooted, because the feature states from INITIAL_FEATURE_FLAGS would again be written into global.

      The new behavior of INITIAL_FEATURE_FLAGS is that it is applied immediately on boot, and there is a strict precedence order between GraphQL and INITIAL_FEATURE_FLAGS.

      If a feature is explicitly enabled or disabled via GraphQL, that setting will take precedence across all cluster nodes, and INITIAL_FEATURE_FLAGS will be ignored. Otherwise, INITIAL_FEATURE_FLAGS will control the feature flag states for the local node only, rather than cluster-wide.

      If administrators have enabled or disabled a feature via GraphQL and they wish to "unset" this decision, the deleteFeatureFlag mutation allows for returning to the factory setting for the specified flag.

New features and improvements

  • User Interface

    • The Lookup files page now allows for quickly copying file names by either:

      • Clicking the Copy file name option from the options menu in the files' overview table

      • Hovering over a file name in the files' overview table and click the copy icon.

    • LogScale now presents an upgraded Query editor to deliver a faster and more reliable authoring experience. This enhancement improves page loading times across LogScale while resolving several long-standing editor limitations.

      New features and improvements include:

      • Code Folding/Collapsible Code Sections. Collapse and expand sections of complex, multi-line queries for easier navigation to focus only on the query portion you're actively editing. This feature applies to any function, such as correlate() or defineTable().

      • Auto-Indentation. Queries are now automatically formatted with indentation as you type.

      • Improved Bracket Matching and Error Highlighting. Matching brackets, parentheses, and braces are instantly identified and enhanced with visual highlighting, reducing syntax errors by clearly identifying bracket pairs. Non-printable characters are now highlighted as errors directly.

      • Enhanced Copy and Paste Functionality. Mouse-based copying and pasting and keyboard shortcuts now both work consistently in the editor.

      • Improved Performance. Load times when working with the LogScale's search interface have been improved due to a 50% smaller code footprint, leading to faster response times. This improvement applies to all search uses (queries, automation, etc.).

      These upgrades also provide a foundation for future enhancements on an extensible editor platform, including the ability to more easily add features and improvements based on user feedback.

      For more information, see Query Editor.

Fixed in this release

  • Automation and Triggers

    • Triggers running on behalf of a user could not be enabled or disabled using a view permission token with the administration permission ChangeTriggersToRunAsOtherUsers, could not be enabled or disabled. This issue has now been fixed.

  • Queries

  • Functions

    • Fixed an issue where the function xml:prettyPrint() would fail to print valid XML when the field contained a constant string. For example:

      logscale
      x := "<a></a>" | xml:prettyPrint(x)

Known Issues

  • Storage

    • For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (that is, the storage usage on the primary disk is halfway between PRIMARY_STORAGE_PERCENTAGE and PRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".

      This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.

Improvement

  • Installation and Deployment

    • The Linux Wolfi OS base image for Docker has been updated for LogScale to eliminate Common Vulnerabilities and Exposures (CVEs).

      For more information regarding Wolfi, visit their documentation here: Wolfi OS - GitHub

    • Updated packages containing CVEs in PDF Render Service to account for Snyk CVEs with a severity level of 'High'.

  • Configuration

  • Queries

    • Subqueries are now allowed to begin with a pipe operator (|). This aligns subqueries with the main query, which already allows a leading pipe. Starting a subquery with a pipe makes no semantic difference.

      In the example below, starting the query argument with a pipe is now syntactically valid.

      logscale
      defineTable(
  query={
    | value=42
  }, include=*, name=""
)

    • A performance optimization for the LogScale Regular Expression Engine V2 has been introduced. Regexes that use non-greedy repetitions and where backtracking of the body can be ruled out are now faster, particularly if multiple such repetitions follow one another.

      Nongreedy repetitions are those that end with the character ?. Examples include:

      • ??

      • *?

      • +?

      • {n,m}?

      An example of the character used in practice:

      regex
      /\(\w*?\)/

    • Single-line repetitions of any character across capture groups have been optimized to operate faster in the LogScale Regular Expression Engine V2.

      For example:

      regex
      /((?s:.*))Y/ and /(.*)X/d