Falcon LogScale 1.233.1 GA (2026-04-10)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Downgrades To? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.233.1 | GA | 2026-04-10 | Cloud | 2027-05-31 | No | 1.177.0 | 1.177.0 | No |
Hide file download links
Download
Use docker pull humio/humio-core:1.233.1 to download the latest version
Bug fixes and updates
Advance Warning
The following items are due to change in a future release.
Security
Starting from LogScale version 1.237, support for insecure
ldapconnections will be removed. Self-Hosted customers using LDAP will only be able to useldapssecure connections.
Removed
Items that have been removed as of this release.
Metrics and Monitoring
The schedulesegments metric has been removed due to the data it provided no longer being of significant use. Previously, this metric measured the execution time for a particular piece of code that has now experienced significant changes since the metric's inception. Performance issues for that piece of code can now be observed via thread dumps, making a dedicated metric obsolete.
Deprecation
Items that have been deprecated and may be removed in a future release.
The userId parameter for the updateDashboardToken GraphQL mutation has been deprecated and will be removed in version 1.273.
rdns()has been deprecated and will be removed in version 1.249. UsereverseDns()as an alternative function.
Upgrades
Changes that may occur or be required during an upgrade.
Functions
The underlying data structure for the following query functions have been updated to improve cardinality estimation:
count()(with the parameterdistinctset totrue)This represents no change in operations for users.
New features and improvements
Configuration
The feature flag
EnableCompleteStateCachehas been replaced with the dynamic configuration parameterQueryStateCacheCompleteEnabled.
Fixed in this release
User Interface
Web interface's table components could display stale data when filters were changed rapidly by users. For example, this issue might have occurred when entering data in a search box, toggling column filters, and/or clearing all filters in rapid succession, resulting in responses arriving out of order and causing outdated results to overwrite more recent data.
To address this issue, table components in the UI now track request versions and ignore stale responses, ensuring only the most recent filtered results are displayed. Also, the previous/next pagination buttons are now disabled while a search is in progress.
Before the fix, affected pages included:
ReportsSaved SearchesFilesConnectionsEnrollment Tokens
Ingestion
In the parser editor, when validating test cases against the CrowdStrike Parsing Standard (CPS), the parser schema validation would report a violation against the wrong field name in some cases. This issue has now been fixed.
Queries
A minor issue regarding prioritization in LogScale's query scheduler has been fixed. When starting work on scanning a segment piece, a query is effectively charged for the expected cost of the work. Previously, the total estimate was being incorrectly multiplied by the number of blocks in the segment, causing the query to temporarily appear more expensive than it should, resulting in a more strict deprioritization than necessary.
A minor issue introduced in version 1.134.0 has been fixed where streaming queries were not being throttled correctly, leading to individual streaming queries consuming too much capacity.
The query prioritization code used for
humio-metricshas been adjusted to ensure all costs incurred by a user or organization is accounted for in the metrics gathered by LogScale. Previously, the final work completed by the last query performed was not counted, eliminating it from the final total.Fixed an issue where unrelated, incorrect auto-completion suggestions would be provided by the Query editor when writing regex flags, for example in cases where the user's cursor was positioned after the regex flag in
/foo/i. This issue has been fixed and auto-suggestions are now disabled in these cases.An issue in the
Query Editor> has been fixed where auto-completions would be suggested when writing inside comment blocks. For example, if the cursor was positioned inside//fooor/*foo*/, auto-completions would incorrectly be suggested. No suggestions are now provided in these cases.
Functions
Fixed an issue with the query functions
format()andformatTime(), where negative time zone offsets could be printed incorrectly.Fixed an issue where queries using the
parseTimestamp()function on a timestamp that included a deprecated Java short zone ID (ZoneId.SHORT_IDS) would result in an erroneous time zone being supplied (Africa/Abidjan). Use of the deprecated codes will now result in an error message.For more information, see the Java ZoneId SHORT_IDS documentation.
Known Issues
Storage
For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (that is, the storage usage on the primary disk is halfway between
PRIMARY_STORAGE_PERCENTAGEandPRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.
Improvement
User Interface
The tab label for the package's settings page has been updated from Installed to Manage, and the page title has been updated from Installed packages to Manage packages.
Queries
A log line has been added to the query scheduler to record the CPU time spent processing the most expensive block of data in the most recent 10 second time interval.
An example of the results of this operation might look like this:
2026-03-25T14:45:49.445+0000 [query-normal-scheduler] INFO c.h.q.m.SegmentQueue 145 - Slowest block intervalMs=10000 queryID=IQ-QKqKIDGrXDnrs2N1PozMlYil slowestBlockCpuMs=6The format for the results is as follows:
The timestamp for when the log was generated
- The name of the thread that the log is coming from
The log level
- The class the log line is coming from
The vhost that generated the log
Note
Log formats are subject to change and may be adjusted at any time.
The LogScale Regular Expression Engine V2 has been optimized to handle "zero-or-more" repetitions that occur at the start of regular expressions and after the opening of groups. Regexes that align with the following formats are now up to 10x faster for inputs of length 70, but may be even faster compared to before, as the input grows in size:
/(.*)foo//(.*foo)//(((.*)f)o)o/
In benchmarking, most regexes fitting these formats were found to be up to 10 times faster, particularly as the input grows in length.
Due to technical constraints, some regexes that have this format may experience a reduction in performance speed due to prioritization protocols, particularly those that repeat a small set of characters. In general, these regexes are still as fast or faster than before.
An optimization in the LogScale Regular Expression Engine V2 has been extended. This extension accounts for greedy repetitions of single character predicates at the beginning of a regex, where either a minimum, maximum, or both is specified.
As a result, regexes of the following forms are now up to 10x faster than before:
/.+foo//\w{3,}bar/
Fleet Management
The margin in the Fleet Management overview page has been reduced to allow for a larger table. Filter buttons have been resized to match the height of the search field.
Metrics and Monitoring
LogScale has stopped logging internal request logs for both the
is-node-upand query worker submission endpoints on successful requests.To avoid loss of visibility, the following metrics have been added to keep track of query worker submissions:
internal-queryjobs-submission-timing
internal-queryjobs-submission-size
Recent Package Updates
The following LogScale packages have been updated within the last month.
Package Changes
juniper/srx has been updated to v1.5.2.
Enhanced timestamp parsing with additional format support for non-RFC compliant logs
Updated parser version to 3.0.1
Updated ECS version to 9.3.0
Updated CPS version to 1.1.0
Improved field handling with proper timestamp field cleanup
For more information, see Package juniper/srx Release Notes.
cisco/ios has been updated to v1.9.2.
Enhanced regex patterns to handle optional whitespace after colon separators in event codes
Added support for FPMD and FTMD event types for SD-WAN flow monitoring and traffic analysis
Added IANA protocol number to network transport protocol mapping for common protocols
Improved MAC address parsing to support both lowercase and uppercase hexadecimal characters
Updated ECS version to 9.3.0
Updated parser version to 2.9.1
For more information, see Package cisco/ios Release Notes.
fortinet/fortigate has been updated to v2.3.3.
Enhanced VPN tunnel event handling with improved source address mapping for tunnel-up actions
Added source.nat.ip field mapping from Vendor.tunnelip for VPN tunnel events
Improved network direction detection with additional conditions for Vendor.init field
Fixed corrupted type field parsing by restoring "utm" value when type field contains text/css, text/html, or other text/* values
Updated parser version to 5.1.3
For more information, see Package fortinet/fortigate Release Notes.
microsoft/sysmon has been updated to v1.1.4.
Added @dataConnectionID field to the select statement for improved data connection tracking
Updated parser version to 1.1.4
For more information, see Package microsoft/sysmon Release Notes.
darktrace/detect has been updated to v2.0.2.
Updated ECS version to 9.2.0
Updated parser version to 3.0.2
Enhanced timestamp parsing for RFC 3164 syslog format to handle single-digit day values with optional space padding
Added array-based field handling for host.mac[] field
For more information, see Package darktrace/detect Release Notes.
zscaler/internet-access has been updated to v2.1.2.
Fixed event.action field assignment order in firewall events to ensure proper conditional processing
Updated parser version to 4.0.2
For more information, see Package zscaler/internet-access Release Notes.
aws/vpcflow has been updated to v1.3.1.
Added observer.ingress.interface.id field mapping from Vendor.interface-id
Updated parser version to 1.3.1
For more information, see Package aws/vpcflow Release Notes.
dell/isilon has been updated to v1.2.3.
Updated ECS version to 9.3.0
Updated parser version to 1.1.4
Added support for RFC 5424 syslog format parsing
Added log.syslog.version field mapping
Enhanced timestamp parsing with case-based logic for different syslog formats
For more information, see Package dell/isilon Release Notes.
cisco/firepower has been updated to v1.9.2.
Updated parser version to 4.1.2
Enhanced regex patterns for event code 106023 to better handle user domain and username extraction in various formats
Added support for multiple parsing patterns including domain\user combinations and hostname-only formats
Improved connection ID handling in event codes 302013 and 302015 by removing connection ID from event.action field
Added support for event code 402117 for IPSEC non-IPSec packet events
Enhanced key-value parsing regex patterns for events 430001-430007 to handle more complex field structures
Added IANA protocol number to transport protocol mapping for better protocol identification
Fixed whitespace formatting issues in parser code
For more information, see Package cisco/firepower Release Notes.
checkpoint/ngfw has been updated to v2.7.1.
Enhanced client/server field mapping to apply to all events instead of only application control logs
Moved client/server field assignments outside conditional logic for broader coverage
Updated parser version to 3.7.1
For more information, see Package checkpoint/ngfw Release Notes.