Falcon LogScale 1.240.0 GA (2026-05-12)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Downgrades To? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.240.0 | GA | 2026-05-12 | Cloud | 2027-06-30 | No | 1.177.0 | 1.177.0 | No |
Hide file download links
Download
Use docker pull humio/humio-core:1.240.0 to download the latest version
Bug fixes and updates
Removed
Items that have been removed as of this release.
GraphQL API
The deprecated GraphQL mutations createScheduledSearch and updateScheduledSearch have been removed.
Deprecation
Items that have been deprecated and may be removed in a future release.
The following manuals have been moved to the archives:
The following manuals have been moved to the archives:
The userId parameter for the updateDashboardToken GraphQL mutation has been deprecated and will be removed in version 1.273.
rdns()has been deprecated and will be removed in version 1.249. UsereverseDns()as an alternative function.
New features and improvements
Configuration
Uploads and downloads now use separate queues with a separate concurrency limit for each. The following configuration options have been added:
S3_STORAGE_MAX_CONCURRENT_UPLOADS- Controls the maximum concurrency of uploads to bucket storage. Defaults to one slot for every two CPU cores.S3_STORAGE_MAX_CONCURRENT_DOWNLOADS- Controls the maximum concurrency of downloads from bucket storage. Defaults to one slot for every two CPU cores.S3_STORAGE_TRANSFER_THREAD_POOL_SIZE- Controls the pool size for the shared thread pool used to execute uploads and downloads. Defaults to 50% of the node's CPU cores.
Some parts of the transfer process may be CPU-intensive, for example handling segment encryption. The concurrency of this work is controlled via the thread pool size. It is recommended to leave this at its default value, since permitting too much CPU-intensive work for bucket transfers at a time can be disruptive to the rest of the system.
The
S3_STORAGE_CONCURRENCYsetting, and similar settings for other bucket providers, is deprecated for removal in version 1.252.0. To ease migration,S3_STORAGE_MAX_CONCURRENT_UPLOADSandS3_STORAGE_MAX_CONCURRENT_DOWNLOADSwill use the value ofS3_STORAGE_CONCURRENCYas a default if the latter is configured. These changes also apply to the GCP and AZURE bucket types in addition to the S3 bucket type.
Fixed in this release
Queries
Fixed an issue where some very permissive regular expressions would cause subsequent results highlighting to exhaust a node's available memory.
Fixed an issue where very long regular expressions (greater than 10,000 characters) would cause a query to fail.
Fixed an issue where multi-cluster search queries were not correctly reflecting that they had been stopped. This occurred in cases where queries were stopped before all dependencies were ready, such as
defineTable()subqueries or files.
Known Issues
Storage
For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (that is, the storage usage on the primary disk is halfway between
PRIMARY_STORAGE_PERCENTAGEandPRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.
Improvement
Storage
Reworked bucket storage concurrency controls to provide better granularity. Bucket storage uploads and downloads previously shared the same concurrency limit (
S3_STORAGE_CONCURRENCY) and used a shared queue where uploads always received priority over downloads.
Configuration
Added the dynamic configuration option
QuerySchedulerMaxCpuMsPerTimeSlice, which controls how much CPU time a chunk is allowed to take before attemptingdeferral of the remaining process. The default is 1,000 milliseconds.
Queries
Implemented the ability to stop work mid-chunk in the query scheduler, in order to switch between queries more responsively when slow queries are running. This behavior can be opted out of via the
AllowQuerySchedulerToBailOnSlowChunksfeature flag, which is planned for removal in a future version.
Metrics and Monitoring
Added the metric query-segment-chunk-deferred. The query scheduler executes queries by scanning each segment in portions of a particular byte size (chunks, consisting of a number of blocks) and is only able to make prioritization decisions between chunks. If a chunk takes too long, the scheduler may stop execution part way through and defer the rest of the work for later. This allows the scheduler to context switch to other queries, even when a very slow query is present where chunks take a long time. This metric counts how many times that kind of deferment occurs, which is an indicator of the presence of one or more very slow queries.
Added the metric block-count-in-chunk, which counts the number of blocks included in each segment chunk for segments being read during queries.
The following changes have been made to metrics:
bucket-storage-transfer-free-slots has been replaced by bucket-storage-upload-free-slots and bucket-storage-download-free-slots.
node-to-node-transfer-free-slots has been renamed to node-to-node-download-free-slots.
Recent Package Updates
The following LogScale packages have been updated within the last month.
Package Changes
cisco/firepower has been updated to v2.0.0.
Updated parser version to 5.0.0
Updated CPS version to 1.2.0
Updated ECS version to 9.3.0
Enhanced parsing for event codes 109201, 109207, 109210 with improved server address extraction and consistency with ASA format
Enhanced parsing for event code 113019 with additional vendor fields for group, session type, and network bytes calculation
Enhanced parsing for event codes 11300*, 11301* with improved server address, client NAT IP, and user extraction
Enhanced parsing for event codes 302013, 302015 with improved connection ID handling and username extraction from message end
Enhanced parsing for event code 302014 with corrected source/destination mapping based on connection initiator/target semantics
Enhanced parsing for event code 302016 with improved connection ID extraction and user closure reason parsing
Enhanced parsing for event code 302021 with event action extraction and network transport assignment
Enhanced parsing for event code 502103 with improved user privilege parsing and IAM categorization
Enhanced parsing for event codes 609001, 609002 with additional event action and destination address extraction
Enhanced parsing for event code 722051 with corrected field mapping for client NAT IP
Added support for event code 733100 with rate limiting and intrusion detection categorization
Added support for event code 746015 with DNS protocol parsing and question/answer extraction
Enhanced parsing for event code 746016 with improved DNS lookup failure parsing
Enhanced parsing for event codes 750001, 750002, 750006, 750007 with network configuration categorization
Added support for event code 750003 with network authentication failure categorization
Enhanced parsing for event code 751002 with improved authentication failure categorization and error message extraction
Added event.code field assignment from vendor mnemonic
Added event.reason field consistency logic to ensure availability across ASA and FTD events
For more information, see Package cisco/firepower Release Notes.
cisco/umbrella has been updated to v1.4.3.
Updated parser version to 3.0.3
Enhanced DLP logs parsing with improved URL handling using parseUri function
Added url.original field mapping for DLP traffic logs
Improved destination.domain field extraction for better URL parsing accuracy
For more information, see Package cisco/umbrella Release Notes.
juniper/srx has been updated to v1.5.3.
Fixed timestamp parsing format for single-digit day values in BSD syslog format
Updated parser version to 3.0.2
Updated CPS version to 1.2.0
For more information, see Package juniper/srx Release Notes.
f5networks/bigip has been updated to v3.1.1.
Updated ECS version to 9.3.0 and Parser version to 4.0.1
Enhanced HTTP request parsing for ASM events with improved regex extraction for request content
Fixed HTTP request body content extraction to properly parse content portion from request data
Added HTTP request MIME type field mapping from Content-Type header
Corrected HTTP request referrer field mapping to use proper vendor field
Improved authentication failure parsing with more specific regex pattern for user extraction
Fixed indentation and formatting issues in audit event processing section
For more information, see Package f5networks/bigip Release Notes.