Falcon LogScale 1.238.0 GA (2026-04-28)

Version?Type?Release Date?Availability?End of SupportSecurity UpdatesUpgrades From?Downgrades To?Config. Changes?
1.238.0GA2026-04-28

Cloud

2027-06-30No1.177.01.177.0No

Hide file download links

Show file download links

Bug fixes and updates

Deprecation

Items that have been deprecated and may be removed in a future release.

Upgrades

Changes that may occur or be required during an upgrade.

  • Installation and Deployment

    • Upgraded LogScale's bundled Java Development Kit (JDK) from version 25.0.2 to 25.0.3.

New features and improvements

  • Documentation

    • The Knowledge Base section of the documentation has been renamed to Guidance. This name change will enable us to build a wider range of content.

      The sub-sections, How-To, Best Practice, Troubleshooting, Use Cases and Questions will stay. The URLs for each page have also not changed and will keep their kb prefix.

Fixed in this release

  • User Interface

    • Fixed an issue where x-axis ordering for the Bar Chart widget could become unstable when the Others series in the Max series (bars) property contained varying subsets of x-axis categories with data updates.

  • Automation and Triggers

    • Fixed an issue in the handling of time zones where if an anchored time interval like LastWeek was used in scheduled reports, UTC timezone was implemented to calculate the start and end date of the report, leading to a drift in the time window (if the report was configured with a different time zone).

  • Configuration

    • Fixed an issue where, if not specified, the default Lightweight Directory Access Protocol (LDAP) port would be assumed to be 389 instead of 636, which is the default for Lightweight Directory Access Protocol over SSL/TLS (LDAPS). As a workaround, the port can be explicitly specified in the LDAP setup.

  • Queries

    • Fixed an issue where static queries transferred across different version of LogScale would become unreadable due to formatting changes and cause the query to fail. Now if this issue occurs, the query will restart.

    • Fixed an issue where a live query would occasionally fail, either internally or during client polling. This was due to a race condition created by a lack of bucket alignment.

    • Fixed an issue where temporary, self-correcting failures to publish in global snapshot could lead to query failures.

    • Fixed an issue where query handover in LogScale such as those occurring during node restart would in some cases lead to empty query results.

  • Functions

    • Fixed a rare issue where the correlate() function could miss events at time bucket boundaries. This fix only takes effect when all nodes in the cluster are running at least version 1.238.0 - multi-cluster search is not yet supported.

Known Issues

  • Storage

    • For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (that is, the storage usage on the primary disk is halfway between PRIMARY_STORAGE_PERCENTAGE and PRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".

      This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.

Improvement

  • User Interface

    • A loading indicator has been added to the autocompletion menu in the new Query Editor for user-triggered prompts like the following:

      • Ctrl+Space

      • +Space

      This improves user experience during slow load times by ensuring users are aware that completions are being fetched from the server.

  • Configuration

    • The upper limit on the system setting MAPPER_JOB_QUEUE_LENGTH has been removed. This setting controls the maximum size of the mapper pool in each worker node.

      The mapper pool size defaults to 50% of the cores on the node, and the queue is configured by default to provide one queue slot per pool thread. This configuration ensures that mapper pool threads do not run out of work before the scheduler main loop can enqueue more.

      Note

      The mapper pool size default can be overridden by QUERY_EXECUTOR_CORES.

      The previous upper limit of 128 was harmful on nodes with more than 256 cores. Since there is no reason to impose an upper boundary on this configuration, the limit has been removed.

      The default value is recommended. The following considerations apply when adjusting this setting:

      • Decreasing the queue size risks leaving the mapper pool intermittently idle while the scheduler prepares more work to execute.

      • Increasing the queue size increases the latency on query prioritization decisions, since it takes longer between the scheduler deciding to execute a piece of work and that work making it through the queue.

  • Other

    • JSON encoding performance for message template output for actions and logs has been improved for the humio-activity repository. As a result, fewer characters are encoded, but all characters required to be encoded for JSON are encoded correctly.

Recent Package Updates

The following LogScale packages have been updated within the last month.

  • Package Changes

    • juniper/srx has been updated to v1.5.2.

      • Enhanced timestamp parsing with additional format support for non-RFC compliant logs

      • Updated parser version to 3.0.1

      • Updated ECS version to 9.3.0

      • Updated CPS version to 1.1.0

      • Improved field handling with proper timestamp field cleanup

      For more information, see Package juniper/srx Release Notes.

    • cisco/ios has been updated to v1.9.2.

      • Enhanced regex patterns to handle optional whitespace after colon separators in event codes

      • Added support for FPMD and FTMD event types for SD-WAN flow monitoring and traffic analysis

      • Added IANA protocol number to network transport protocol mapping for common protocols

      • Improved MAC address parsing to support both lowercase and uppercase hexadecimal characters

      • Updated ECS version to 9.3.0

      • Updated parser version to 2.9.1

      For more information, see Package cisco/ios Release Notes.

    • dell/isilon has been updated to v1.2.3.

      • Updated ECS version to 9.3.0

      • Updated parser version to 1.1.4

      • Added support for RFC 5424 syslog format parsing

      • Added log.syslog.version field mapping

      • Enhanced timestamp parsing with case-based logic for different syslog formats

      For more information, see Package dell/isilon Release Notes.

    • cisco/firepower has been updated to v1.9.2.

      • Updated parser version to 4.1.2

      • Enhanced regex patterns for event code 106023 to better handle user domain and username extraction in various formats

      • Added support for multiple parsing patterns including domain\user combinations and hostname-only formats

      • Improved connection ID handling in event codes 302013 and 302015 by removing connection ID from event.action field

      • Added support for event code 402117 for IPSEC non-IPSec packet events

      • Enhanced key-value parsing regex patterns for events 430001-430007 to handle more complex field structures

      • Added IANA protocol number to transport protocol mapping for better protocol identification

      • Fixed whitespace formatting issues in parser code

      For more information, see Package cisco/firepower Release Notes.

    • checkpoint/ngfw has been updated to v2.7.1.

      • Enhanced client/server field mapping to apply to all events instead of only application control logs

      • Moved client/server field assignments outside conditional logic for broader coverage

      • Updated parser version to 3.7.1

      For more information, see Package checkpoint/ngfw Release Notes.