Falcon LogScale 1.235.1 GA (2026-04-10)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Downgrades To? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.235.1 | GA | 2026-04-10 | Cloud | Next LTS | No | 1.177.0 | 1.177.0 | No |
Hide file download links
Download
Use docker pull humio/humio-core:1.235.1 to download the latest version
Bug fixes and updates
Advance Warning
The following items are due to change in a future release.
Security
Starting from LogScale version 1.237, support for insecure
ldapconnections will be removed. Self-Hosted customers using LDAP will only be able to useldapssecure connections.
Removed
Items that have been removed as of this release.
GraphQL API
Removed the deprecated GraphQL query
savedQuery(id). Use the savedQuery(id) field on searchDomain() query instead:searchDomain(name: "...") { savedQuery(id: "...") { ... } }This query was deprecated in version 1.181 due to poor performance.
Deprecation
Items that have been deprecated and may be removed in a future release.
The following manuals have been moved to the archives:
The userId parameter for the updateDashboardToken GraphQL mutation has been deprecated and will be removed in version 1.273.
rdns()has been deprecated and will be removed in version 1.249. UsereverseDns()as an alternative function.
Behavior Changes
Scripts or environment which make use of these tools should be checked and updated for the new configuration:
Fleet Management
Log Collector enrollment no longer uses the supplied machine ID to look up an existing collector ID. Each enrollment now generates a new collector ID, regardless of whether the same machine ID is provided. Machine IDs are no longer treated as unique identifiers; all queries now use collector ID instead.
For more information, see Fleet and Group Management.
New features and improvements
Documentation
The documentation site has been updated to improve usability by adding the following features:
Dark mode
Store preferences for displaying (or hiding) the sidebars
Both are available from a new menu available at the top right of every Documentation Page (the hamburger).
For the sidebars:
You can override the default display for each page to either hide the left, right, or both, sidebars on each page.
Resetting to the default will use the controls set for each page by the docs team.
You can still hide and show on each page (using the » icons)
We also have keyboard controls (Option-, and Option-. toggle left and right respectively, Option-M toggles both). See Keyboard Shortcuts
For dark mode, you can:
Force light mode (black on white)
Force dark mode (white on black)
Follow your device preferences
Reset to default (light mode)
It is possible there are some pages where dark mode does not display clearly and we will continue to update these.
Fixed in this release
Installation and Deployment
Fixed an issue where an Indicator of Compromise (IoC) with a label containing non-ASCII characters would corrupt the IoC data stored on cluster nodes backing the
ioc:lookup()function. Non-ASCII IoC labels are now written correctly.
Storage
Fixed an issue that could cause spurious error logging stating Offset to delete moving backwards on partition when deleting segments using administrative endpoints for manual segment deletion.
Ingestion
Fixed an issue where CSV files containing a UTF-8 byte order mark were correctly parsed, but JSON files with a byte order mark failed to parse.
Queries
Fixed an issue where invalid queries (for example, IOC not available) could lead to 500 internal server error responses on query submission rather than surfacing the error to the user. LogScale now correctly renders non-standard status codes.
Functions
Fixed an issue in the serialization of
correlate()states where the new version serialized states in a format not recognized by previous versions. This prevented running queries using thecorrelate()function in clusters with mixed versions (pre-1.233 and 1.233 or newer).
Known Issues
Storage
For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (that is, the storage usage on the primary disk is halfway between
PRIMARY_STORAGE_PERCENTAGEandPRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.
Improvement
User Interface
Improved the
Tablewidget interaction to handle aggregated @id fields if they are separated by\nor,.For more information, see Look up events with multiple IDs.
Recent Package Updates
The following LogScale packages have been updated within the last month.
Package Changes
juniper/srx has been updated to v1.5.2.
Enhanced timestamp parsing with additional format support for non-RFC compliant logs
Updated parser version to 3.0.1
Updated ECS version to 9.3.0
Updated CPS version to 1.1.0
Improved field handling with proper timestamp field cleanup
For more information, see Package juniper/srx Release Notes.
cisco/ios has been updated to v1.9.2.
Enhanced regex patterns to handle optional whitespace after colon separators in event codes
Added support for FPMD and FTMD event types for SD-WAN flow monitoring and traffic analysis
Added IANA protocol number to network transport protocol mapping for common protocols
Improved MAC address parsing to support both lowercase and uppercase hexadecimal characters
Updated ECS version to 9.3.0
Updated parser version to 2.9.1
For more information, see Package cisco/ios Release Notes.
fortinet/fortigate has been updated to v2.3.3.
Enhanced VPN tunnel event handling with improved source address mapping for tunnel-up actions
Added source.nat.ip field mapping from Vendor.tunnelip for VPN tunnel events
Improved network direction detection with additional conditions for Vendor.init field
Fixed corrupted type field parsing by restoring "utm" value when type field contains text/css, text/html, or other text/* values
Updated parser version to 5.1.3
For more information, see Package fortinet/fortigate Release Notes.
microsoft/sysmon has been updated to v1.1.4.
Added @dataConnectionID field to the select statement for improved data connection tracking
Updated parser version to 1.1.4
For more information, see Package microsoft/sysmon Release Notes.
darktrace/detect has been updated to v2.0.2.
Updated ECS version to 9.2.0
Updated parser version to 3.0.2
Enhanced timestamp parsing for RFC 3164 syslog format to handle single-digit day values with optional space padding
Added array-based field handling for host.mac[] field
For more information, see Package darktrace/detect Release Notes.
zscaler/internet-access has been updated to v2.1.2.
Fixed event.action field assignment order in firewall events to ensure proper conditional processing
Updated parser version to 4.0.2
For more information, see Package zscaler/internet-access Release Notes.
aws/vpcflow has been updated to v1.3.1.
Added observer.ingress.interface.id field mapping from Vendor.interface-id
Updated parser version to 1.3.1
For more information, see Package aws/vpcflow Release Notes.
dell/isilon has been updated to v1.2.3.
Updated ECS version to 9.3.0
Updated parser version to 1.1.4
Added support for RFC 5424 syslog format parsing
Added log.syslog.version field mapping
Enhanced timestamp parsing with case-based logic for different syslog formats
For more information, see Package dell/isilon Release Notes.
cisco/firepower has been updated to v1.9.2.
Updated parser version to 4.1.2
Enhanced regex patterns for event code 106023 to better handle user domain and username extraction in various formats
Added support for multiple parsing patterns including domain\user combinations and hostname-only formats
Improved connection ID handling in event codes 302013 and 302015 by removing connection ID from event.action field
Added support for event code 402117 for IPSEC non-IPSec packet events
Enhanced key-value parsing regex patterns for events 430001-430007 to handle more complex field structures
Added IANA protocol number to transport protocol mapping for better protocol identification
Fixed whitespace formatting issues in parser code
For more information, see Package cisco/firepower Release Notes.
checkpoint/ngfw has been updated to v2.7.1.
Enhanced client/server field mapping to apply to all events instead of only application control logs
Moved client/server field assignments outside conditional logic for broader coverage
Updated parser version to 3.7.1
For more information, see Package checkpoint/ngfw Release Notes.