Falcon LogScale 1.234.1 GA (2026-04-10)

Version?Type?Release Date?Availability?End of SupportSecurity UpdatesUpgrades From?Downgrades To?Config. Changes?
1.234.1GA2026-04-10

Cloud

2027-05-31No1.177.01.177.0No

Hide file download links

Show file download links

Bug fixes and updates

Breaking Changes

The following items create a breaking change in the behavior, response or operation of this release.

  • Configuration

    • LogScale will now throw an error on boot if SECONDARY_DATA_DIRECTORY variable is configured. This change is intended to help administrators identify that they are using this deprecated feature that is now being removed.

Advance Warning

The following items are due to change in a future release.

  • Security

    • Starting from LogScale version 1.237, support for insecure ldap connections will be removed. Self-Hosted customers using LDAP will only be able to use ldaps secure connections.

Removed

Items that have been removed as of this release.

Storage

  • Secondary storage support has been entirely removed. The following configuration options are no longer available:

  • Secondary storage support has been removed from the redactEvents functionality, the health check functionality, and the internal segment fetching endpoint. This includes the removal of the secondary-disk-usage health check response from the health check API.

GraphQL API

Metrics and Monitoring

  • The humio-metrics repository metric secondary-disk-usage has been removed, as it measured functionality that is no longer present in the product.

Deprecation

Items that have been deprecated and may be removed in a future release.

New features and improvements

  • Automation and Triggers

    • It is now possible to schedule reruns of scheduled searches that have already been executed. This functionality is currently available through the GraphQL API using the new rerunScheduledSearch mutation, and the cancelScheduledSearchRerun mutation for canceling a rerun. Scheduled reruns can be viewed in the executionTimesToRerun field on the ScheduledSearch type. Reruns run in parallel with normal runs, with at most one rerun per scheduled search at a time.

      A maximum of 50 reruns can be scheduled per scheduled search. This limit is configurable using the SCHEDULED_SEARCH_MAX_NUMBER_OF_RERUNS configuration variable.

    • The new Interval scheduling option has been added as an alternative to cron expressions for scheduled searches. This new option uses Relative Time Syntax modifiers such as @every 5d, allowing searches to run at regular intervals.

      For more information, see Scheduling.

  • GraphQL API

    • The GraphQL mutation unsetRetention has been added, allowing individual retention settings on a repository to be restored to their default values. Previously, once retention settings such as timeBasedBackupRetention were set to a positive value, the only way to restore them to the default was to pass null via the updateRetention mutation, which some API clients do not support.

      The new mutation accepts boolean flags for each retention setting and restores those set to true back to their default values. The supported flags are:

      • timeBasedRetention

      • ingestSizeBasedRetention

      • storageSizeBasedRetention

      • timeBasedBackupRetention

Fixed in this release

  • Automation and Triggers

    • Fixed an issue where a filter alert could trigger on two events sharing the same @id field value, depending on timing. Filter alerts now deduplicate events using the @id field and will trigger on only one of them.

  • Fleet Management

    • Fixed an issue where the UI would prevent deleting Log Collector configurations even when no collector instances were using the configuration.

  • Metrics and Monitoring

    • The calculation for the humio-metrics repo metric min-unacked-ingest-timestamp has been corrected to account for occasional underreporting due to overly optimistic (low) values.

Known Issues

  • Storage

    • For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (that is, the storage usage on the primary disk is halfway between PRIMARY_STORAGE_PERCENTAGE and PRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".

      This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.

Improvement

  • Automation and Triggers

    • The field retryable has been added to the internal log events repository humio-triggers-execution-info. When a scheduled search execution fails, the log event now indicates whether the failure is retryable or non-retryable. Errors that are considered transent and therefore re-tryable include timeouts, I/O errors, or HTTP 5xx responses, while non-retryable, permanent errors include invalid configurations, missing actions, or blocked queries.

      This field can be found on scheduled searches containing the field ExecutionFailed

    • When a live query alert is canceled due to excessive ingest delay, LogScale now waits 1 minute before restarting it. Previously, these queries were restarted immediately, which could worsen cluster load.

      The wait time is configurable per alert type using the following configuration variables:

    • LogScale no longer shows notifications for disabled triggers. Any existing notifications for disabled triggers will be deleted shortly after upgrading to this version. Additionally, when a trigger is deleted, any associated notification is now deleted immediately rather than waiting for a background job.

    • S3 Action uploads now log the version ID returned by S3 for both the event and metadata files. When the target S3 bucket has versioning enabled, the fields eventFileVersionId and metadataFileVersionId are included in the repository humio-triggers-execution-info.

  • Ingestion

    • A new lookup file infrastructure has been enabled, which now allows Lookup Files to run more efficiently with faster load time.

  • Queries

    • The dynamic configuration parameter, ReverseDnsConcurrentRequestsPerQuery has been added to control the maximum number of parallel DNS lookups per reverseDns() query. The default value is 1 (sequential, matching previous behavior). The effective maximum is bounded by ReverseDnsConcurrentRequests, with the default value set to 10.

      Increasing ReverseDnsConcurrentRequestsPerQuery improves single-query throughput at the cost of reducing throughput available to other concurrent reverseDns() queries, as all queries share the ReverseDnsConcurrentRequests pool. Self-hosted customers resolving many IPs in a single query can increase this value to improve single-query throughput.

    • The experimental feature flag KeepSegmentHashFiles has been removed - query performance has been improved by caching hash filter files for frequently used bucketed segments, even in cases where queries only need hash filter files for search. This feature is now enabled by default.

    • Queries running in profiling mode using the explain:asTable() function have been optimized, reducing the system overhead of measuring profiling statistics. The accuracy of the reported step-by-step timeMs metric reported by explain:asTable() has also been improved.

      For more information, see explain:asTable().

    • When all nodes in the cluster are running version 1.233.0 or later, correlate queries automatically switch to a more memory-efficient internal representation for link sets. This also lowers the default memory limit per link set from 20MB to 1MB.

      If a custom value has been configured via the CorrelateLinkValuesMaxByteSize dynamic configuration option, it will be respected regardless of cluster version.

  • Auditing and Monitoring

    • The view ID and view name have been added to uploaded file audit log entries. This information is included only for files uploaded to a view. For shared replicable files, the audit log entries will not include the view ID or view name.

Recent Package Updates

The following LogScale packages have been updated within the last month.

  • Package Changes

    • juniper/srx has been updated to v1.5.2.

      • Enhanced timestamp parsing with additional format support for non-RFC compliant logs

      • Updated parser version to 3.0.1

      • Updated ECS version to 9.3.0

      • Updated CPS version to 1.1.0

      • Improved field handling with proper timestamp field cleanup

      For more information, see Package juniper/srx Release Notes.

    • cisco/ios has been updated to v1.9.2.

      • Enhanced regex patterns to handle optional whitespace after colon separators in event codes

      • Added support for FPMD and FTMD event types for SD-WAN flow monitoring and traffic analysis

      • Added IANA protocol number to network transport protocol mapping for common protocols

      • Improved MAC address parsing to support both lowercase and uppercase hexadecimal characters

      • Updated ECS version to 9.3.0

      • Updated parser version to 2.9.1

      For more information, see Package cisco/ios Release Notes.

    • fortinet/fortigate has been updated to v2.3.3.

      • Enhanced VPN tunnel event handling with improved source address mapping for tunnel-up actions

      • Added source.nat.ip field mapping from Vendor.tunnelip for VPN tunnel events

      • Improved network direction detection with additional conditions for Vendor.init field

      • Fixed corrupted type field parsing by restoring "utm" value when type field contains text/css, text/html, or other text/* values

      • Updated parser version to 5.1.3

      For more information, see Package fortinet/fortigate Release Notes.

    • microsoft/sysmon has been updated to v1.1.4.

      • Added @dataConnectionID field to the select statement for improved data connection tracking

      • Updated parser version to 1.1.4

      For more information, see Package microsoft/sysmon Release Notes.

    • darktrace/detect has been updated to v2.0.2.

      • Updated ECS version to 9.2.0

      • Updated parser version to 3.0.2

      • Enhanced timestamp parsing for RFC 3164 syslog format to handle single-digit day values with optional space padding

      • Added array-based field handling for host.mac[] field

      For more information, see Package darktrace/detect Release Notes.

    • zscaler/internet-access has been updated to v2.1.2.

      • Fixed event.action field assignment order in firewall events to ensure proper conditional processing

      • Updated parser version to 4.0.2

      For more information, see Package zscaler/internet-access Release Notes.

    • aws/vpcflow has been updated to v1.3.1.

      • Added observer.ingress.interface.id field mapping from Vendor.interface-id

      • Updated parser version to 1.3.1

      For more information, see Package aws/vpcflow Release Notes.

    • dell/isilon has been updated to v1.2.3.

      • Updated ECS version to 9.3.0

      • Updated parser version to 1.1.4

      • Added support for RFC 5424 syslog format parsing

      • Added log.syslog.version field mapping

      • Enhanced timestamp parsing with case-based logic for different syslog formats

      For more information, see Package dell/isilon Release Notes.

    • cisco/firepower has been updated to v1.9.2.

      • Updated parser version to 4.1.2

      • Enhanced regex patterns for event code 106023 to better handle user domain and username extraction in various formats

      • Added support for multiple parsing patterns including domain\user combinations and hostname-only formats

      • Improved connection ID handling in event codes 302013 and 302015 by removing connection ID from event.action field

      • Added support for event code 402117 for IPSEC non-IPSec packet events

      • Enhanced key-value parsing regex patterns for events 430001-430007 to handle more complex field structures

      • Added IANA protocol number to transport protocol mapping for better protocol identification

      • Fixed whitespace formatting issues in parser code

      For more information, see Package cisco/firepower Release Notes.

    • checkpoint/ngfw has been updated to v2.7.1.

      • Enhanced client/server field mapping to apply to all events instead of only application control logs

      • Moved client/server field assignments outside conditional logic for broader coverage

      • Updated parser version to 3.7.1

      For more information, see Package checkpoint/ngfw Release Notes.