Falcon LogScale 1.233.0 GA (2026-03-24)

Version?Type?Release Date?Availability?End of SupportSecurity UpdatesUpgrades From?Downgrades To?Config. Changes?
1.233.0GA2026-03-24

Cloud

Next LTSNo1.177.01.177.0No

Available for download two days after release.

Hide file download links

Show file download links

Bug fixes and updates

Advance Warning

The following items are due to change in a future release.

  • Security

    • Starting from LogScale version 1.237, support for insecure ldap connections will be removed. Self-Hosted customers using LDAP will only be able to use ldaps secure connections.

Removed

Items that have been removed as of this release.

Metrics and Monitoring

  • The schedulesegments metric has been removed due to the data it provided no longer being of significant use. Previously, this metric measured the execution time for a particular piece of code that has now experienced significant changes since the metric's inception. Performance issues for that piece of code can now be observed via thread dumps, making a dedicated metric obsolete.

Deprecation

Items that have been deprecated and may be removed in a future release.

  • The userId parameter for the updateDashboardToken GraphQL mutation has been deprecated and will be removed in version 1.273.

  • rdns() has been deprecated and will be removed in version 1.249. Use reverseDns() as an alternative function.

Upgrades

Changes that may occur or be required during an upgrade.

  • Functions

    • The underlying data structure for the following query functions have been updated to improve cardinality estimation:

New features and improvements

  • Configuration

    • The feature flag EnableCompleteStateCache has been replaced with the dynamic configuration parameter QueryStateCacheCompleteEnabled.

Fixed in this release

  • User Interface

    • Web interface's table components could display stale data when filters were changed rapidly by users. For example, this issue might have occurred when entering data in a search box, toggling column filters, and/or clearing all filters in rapid succession, resulting in responses arriving out of order and causing outdated results to overwrite more recent data.

      To address this issue, table components in the UI now track request versions and ignore stale responses, ensuring only the most recent filtered results are displayed. Also, the previous/next pagination buttons are now disabled while a search is in progress.

      Before the fix, affected pages included:

  • Ingestion

    • In the parser editor, when validating test cases against the CrowdStrike Parsing Standard (CPS), the parser schema validation would report a violation against the wrong field name in some cases. This issue has now been fixed.

  • Queries

    • A minor issue regarding prioritization in LogScale's query scheduler has been fixed. When starting work on scanning a segment piece, a query is effectively charged for the expected cost of the work. Previously, the total estimate was being incorrectly multiplied by the number of blocks in the segment, causing the query to temporarily appear more expensive than it should, resulting in a more strict deprioritization than necessary.

    • The query prioritization code used for humio-metrics has been adjusted to ensure all costs incurred by a user or organization is accounted for in the metrics gathered by LogScale. Previously, the final work completed by the last query perfomed was not counted, eliminating it from the final total.

    • A minor issue introduced in version 1.134.0 has been fixed where streaming queries were not being throttled correctly, leading to individual streaming queries consuming too much capacity.

    • Fixed an issue where unrelated, incorrect auto-completion suggestions would be provided by the Query editor when writing regex flags, for example in cases where the user's cursor was positioned after the regex flag in /foo/i. This issue has been fixed and auto-suggestions are now disabled in these cases.

    • An issue in the Query editor has been fixed where auto-completions would be suggested when writing inside comment blocks. For example, if the cursor was positioned inside //foo or /*foo*/, auto-completions would incorrectly be suggested. No suggestions are now provided in these cases.

  • Functions

    • Fixed an issue with the query functions format() and formatTime(), where negative time zone offsets could be printed incorrectly.

    • Fixed an issue where queries using the parseTimestamp() function on a timestamp that included a deprecated Java short zone ID (ZoneId.SHORT_IDS) would result in an erroneous time zone being supplied (Africa/Abidjan). Use of the deprecated codes will now result in an error message.

      For more information, see the Java ZoneId SHORT_IDS documentation.

Known Issues

  • Storage

    • For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (that is, the storage usage on the primary disk is halfway between PRIMARY_STORAGE_PERCENTAGE and PRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".

      This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.

Improvement

  • User Interface

    • The tab label for the package's settings page has been updated from Installed to Manage, and the page title has been updated from Installed packages to Manage packages.

  • Queries

    • A log line has been added to the query scheduler to record the CPU time spent processing the most expensive block of data in the most recent 10 second time interval.

    • The LogScale Regular Expression Engine V2 has been optimized to handle "zero-or-more" repetitions that occur at the start of regular expressions and after the opening of groups. Regexes that align with the following formats are now one complexity class faster than before:

      • /(.*)foo/

      • /(.*foo)/

      • /(((.*)f)o)o/

      In benchmarking, most regexes fitting these formats were found to be up to 10 times faster, particularly as the input grows in length.

      Due to technical constraints, some regexes that have this format may experience a reduction in performance speed due to prioritization protocols, particularly those that repeat a small set of characters. In general, these regexes are still as fast or faster than before.

    • An optimization in the LogScale Regular Expression Engine V2 has been extended. This extension accounts for greedy repetitions of single character predicates at the beginning of a regex, where either a minimum, maximum, or both is specified.

      As a result, regexes of the following forms are now up to 10x faster than before:

      • /.+foo/

      • /\w{3,}bar/

  • Fleet Management

    • The margin in the Fleet Management overview page has been reduced to allow for a larger table. Filter buttons have been resized to match the height of the search field.

  • Metrics and Monitoring

    • LogScale has stopped logging internal request logs for both the is-node-up and query worker submission endpoints on successful requests.

      To avoid loss of visibility, the following metrics have been added to keep track of query worker submissions:

      • internal-queryjobs-submission-timing

      • internal-queryjobs-submission-size