Falcon LogScale 1.245.0 GA (2026-06-16)

Version?Type?Release Date?Availability?End of SupportSecurity UpdatesUpgrades From?Downgrades To?Config. Changes?
1.245.0GA2026-06-16

Cloud

Next LTSNo1.177.01.177.0No

Hide file download links

Show file download links

Bug fixes and updates

Advance Warning

The following items are due to change in a future release.

  • Installation and Deployment

    • We are decommissioning the the Nexus server used to host Java-based LogScale installation binaries, with a tentative decommission date of August 14, 2026. To download Java-based LogScale installers, please send a request to logscalesuccess@crowdstrike.com to obtain a username & API token, which are required to download from our new distribution platform.

Removed

Items that have been removed as of this release.

GraphQL API

  • The deprecated enum value filteralert has been removed from the LanguageVersionEnum enum in the GraphQL API.

Configuration

  • The deprecated environment variable EXTRA_KAFKA_CONFIGS_FILE has been removed. LogScale will now refuse to start if this environment variable is configured.

    The following environment variable prefixes are available for configuring each Kafka client individually:

    In addition, KAFKA_COMMON_ can be used to pass configuration to all clients, though settings configured using the client-specific prefixes take precedence when a setting is present with both prefixes.

    Kafka configuration options such as request.timeout.ms can be passed with these prefixes using the following rewrite procedure:

    1. Enter the option name in all uppercase - for example: REQUEST.TIMEOUT.MS.

    2. Replace . with _ - for example: REQUEST_TIMEOUT_MS.

    3. Apply the prefix for the target client - for example: KAFKA_INGEST_QUEUE_CONSUMER_REQUEST_TIMEOUT_MS.

    4. Pass the configuration option as an environment variable to LogScale on boot - for example: KAFKA_INGEST_QUEUE_CONSUMER_REQUEST_TIMEOUT_MS=30000.

    Configuration previously passed via EXTRA_KAFKA_CONFIGS_FILE can be migrated to environment variables using the procedure above, using the KAFKA_COMMON_ prefix.

Deprecation

Items that have been deprecated and may be removed in a future release.

  • The userId parameter for the updateDashboardToken GraphQL mutation has been deprecated and will be removed in version 1.273.

  • rdns() has been deprecated and will be removed in version 1.249. Use reverseDns() as an alternative function.

New features and improvements

  • Functions

    • Added the new function appendAggregation(), which appends an aggregation of the preceding events to the end of the current result set. This allows query results to be appended with an aggregate summary such as totals, averages, and more.

      The following example demonstrates the function:

      logscale
      head() | appendAggregation({ sum(value, as="value") | event:="total"})

Fixed in this release

  • Storage

    • Fixed an issue with bucket upload logic that in rare cases was causing the loss of lookup files during upload. This same issue also caused lookup file uploads to be slower than expected due to unintentional throttling.

  • GraphQL API

    • Fixed an issue where the GraphQL argument metadataEndpointUrl was not persisted when provided to the GraphQL mutation updateSamlIdentityProvider.

  • Ingestion

    • Digest partition assignment to hosts is now uniform across the partition range to avoid hotspots.

Known Issues

  • Storage

    • For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (that is, the storage usage on the primary disk is halfway between PRIMARY_STORAGE_PERCENTAGE and PRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".

      This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.

Improvement

  • User Interface

    • Collapsible sections have been added to the parser extensions view in the Parser editor.

  • GraphQL API

    • The GraphQL query analyzeQuery now supports a new query kind for scheduled searches.

  • Configuration

    • The default value for the environment variable QUERY_CACHE_COMPLETE_STATES_MIN_COST has been lowered from 1000 to 100 to make cheaper queries eligible for caching.

  • Queries

    • Queries that filter on the event ID field @id using a malformed value now immediately returns no results, instead of scanning for events that could never match.

      If a malformed value appears alongside one or more valid values (for example in an or expression of several @id values), only the invalid value is dropped; the valid values still resolve directly to their respective events.

  • Functions

    • The query function stdDev() has been improved:

      • An issue has been fixed that caused the function to crash in an extreme corner case.

      • Overall performance of the function has been improved.

      • A new algorithm has been introduced that handles smaller relative deviations with greater ease. This algorithm may produce slightly different results than before. However, under normal circumstances the change amounts to less than 1 parts per million (ppm).

    • The function redactEvents() has been updated to account for internal query result caches. Redaction tasks will now only finish once query caches that may contain the redacted event have reached their maximum time to live, ensuring that such events will not temporarily appear due to results being served from the cache.