Falcon LogScale 1.237.0 GA (2026-04-21)

Version?Type?Release Date?Availability?End of SupportSecurity UpdatesUpgrades From?Downgrades To?Config. Changes?
1.237.0GA2026-04-21

Cloud

Next LTSNo1.177.01.177.0No

Hide file download links

Show file download links

Bug fixes and updates

Breaking Changes

The following items create a breaking change in the behavior, response or operation of this release.

  • Security

    • Secure Lightweight Directory Access Protocol (LDAPS) is now required for LDAP connections, see RN Issue in version 1.217.0.

  • Metrics and Monitoring

    • The internal metrics ingest-parsing and ingest-parsing-allocation have been revised to track on a per event basis, as is implied by their description and documentation.

      The following internal metrics have been added to reflect existing metrics, that are now normalized by bytes parsed:

      • ingest-parsing-time-per-bytes

      • ingest-parsing-allocation-per-byte

      Two additional internal metrics have also been added to track the number of bytes ingested into a parser, and how many bytes emerge from a parser respectively:

      • ingest-parsing-bytes-in

      • ingest-parsing-bytes-out

Removed

Items that have been removed as of this release.

GraphQL API

  • Color coding for denoting additional roles in LogScale's GraphQL API have been removed due to lack of consistent functionality.

Configuration

  • The environment variables SEGMENT_READ_FADVICE and SEGMENT_READ_AHEAD_COUNT have been removed.

    Previously, these variables were used to enable LogScale to use the Linux system posix_fadvise to notify the OS ahead of time that it planned to read segment bytes. This feature was disabled by default in version 1.85.0.

Deprecation

Items that have been deprecated and may be removed in a future release.

Behavior Changes

Scripts or environment which make use of these tools should be checked and updated for the new configuration:

  • API

    • The User-Agent header of outgoing HTTP requests has been changed from pekko/$pekko-version to LogScale/$major.$minor.$patch.

  • Configuration

    • Support for array and map aliasing has been removed to simplify YAML file handling. This change only affects users who have manually introduced aliases into any YAML files that LogScale is meant to consume - LogScale does not produce YAML files containing aliases.

Upgrades

Changes that may occur or be required during an upgrade.

  • Installation and Deployment

    • The Linux Wolfi OS base image for Docker has been updated for LogScale to eliminate Common Vulnerabilities and Exposures (CVEs).

      For more information regarding Wolfi, visit their documentation here: Wolfi OS - GitHub

  • Ingestion

    • The Apache Kafka client has been updated to version 4.2.0.

New features and improvements

  • Configuration

    • Added the environment variable MAX_TABLE_SIZE_BYTES, which controls the maximum table size for functions such as defineTable(). This allows the table size to be controlled independently of the the .CSV file size.

      The variable performs using the following rules:

      • if the environment variable is set by the user, it retains the provided value.

      • If the environment value is not set by the user, the value is derived from the Maximum CSV File Upload Size.

      • If Max CSV File Upload Size is not set, it has the value from the Default Max CSV File Upload Size.

      Note

      Unless specifically overwritten, the value follows that of the CSV file size.

      The dynamic configuration parameter CsvFileSizePerOrgOverrideLimit has also been added, which allows users to specify a string using the following format: 

      <CID>:<numberofbytes>;<AnotherCID>:<numberofbytes>;...

      For the specified CID, the size limit for the uploaded .CSV file will be what is specified in this configuration, not what may be otherwise specified in an environment variable.

  • Fleet Management

    • Fleet Management Overview now offers two query modes:

      • The legacy mode, which remains available for existing workflows and is unchanged.

      • The new mode, which supports only collectors operating using versions 1.9.0 and newer.

      The new query mode will be set as the default. To revert to the previous version, the new query mode can be disabled in Settings.

      They key differences in legacy mode and the new query mode overview include:

      • Legacy overview will perform queries to catch all versions of collectors, and also display collectors that are not enrolled.

      • New overview will feature queries only using #kind tags. It will show the notification Requires 1.9.0+ for all collectors with versions 1.5.*-1.8.*, as ingest and status will not be queried, and therefore not shown.

      All collectors below version 1.5.* will not be queried. However, they will appear in the historical section, since we cannot differentiate between inactive collectors and those that are this old.

      Only the overview queries are updated; group queries have not been impacted.

Fixed in this release

  • Automation and Triggers

    • Fixed an issue where action invocation could hang indefinitely if the action used Transport Layer Security (TLS) and the host name was not compatible with Server Name Indication (SNI) hostname requirements. Invalid hostnames are no longer added as an SNI on a TLS connection.

  • Storage

    • Fixed a rare issue where bucket transfer scheduler behavior sometimes led to starvation and/or a reduction in the effective concurrency of bucket transfers by a total of 1, particularly in situations where transfer failure already existed, such as in cases of network issues.

  • Ingestion

    • Fixed an issue where misconfigured ingest feeds would prevent other feeds from being picked up during the initialization phase.

  • Queries

    • Scheduling of hash files has been reverted due to excessive overhead on the thread that creates hash files.

  • Functions

    • Fixed an issue where queries using the correlate() function in a cluster running both a version older than 1.233 and a version that is 1.233 or newer experienced a serialization issue, where the new version serialized items in a format that was not recognized by the previous version.

  • Packages

    • Fixed an issue where the absence of the Linux command-line utility lscpu in the Docker base image broke the CPU Architecture widget in the insights package.

Known Issues

  • Storage

    • For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (that is, the storage usage on the primary disk is halfway between PRIMARY_STORAGE_PERCENTAGE and PRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".

      This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.

Improvement

  • Fleet Management

    • Fleet management groups can now be created with configurations that are partial and/or that contain merge conflicts. Users are provided with a warning regarding possible conflicts, but are no longer blocked from saving the group.

    • The Fleet Insights page now also provides a legacy mode. Legacy mode will still query for collectors that do not have #kind tags ingest, sources, and problemsReport field.

      The new Fleet Insights page will continue to query using only #kind tags.