Falcon LogScale 1.246.0 GA (2026-06-23)

Version?Type?Release Date?Availability?End of SupportSecurity UpdatesUpgrades From?Downgrades To?Config. Changes?
1.246.0GA2026-06-23

Cloud

Next LTSNo1.177.01.177.0No

Hide file download links

Show file download links

Bug fixes and updates

Advance Warning

The following items are due to change in a future release.

  • Installation and Deployment

    • We are decommissioning the the Nexus server used to host Java-based LogScale installation binaries, with a tentative decommission date of August 14, 2026. To download Java-based LogScale installers, please send a request to logscalesuccess@crowdstrike.com to obtain a username & API token, which are required to download from our new distribution platform.

Removed

Items that have been removed as of this release.

GraphQL API

  • The GraphQL mutation removeSizeBasedRetentionForAllOrganizations has been removed. This mutation was previously deprecated and scheduled for removal in version 1.201.

Deprecation

Items that have been deprecated and may be removed in a future release.

  • The GraphQL field queryToRead in the query poll response has been deprecated and will be removed in version 1.258.

    Users that require table data for a subquery should use the tableName query parameter on the poll endpoint instead. This serves cached data rather than creating a new query based on the queryToRead string.

  • The userId parameter for the updateDashboardToken GraphQL mutation has been deprecated and will be removed in version 1.273.

  • rdns() has been deprecated and will be removed in version 1.249. Use reverseDns() as an alternative function.

New features and improvements

  • User Interface

    • Unicode control characters (C0, C1, and DEL) are now rendered as visible placeholders in the Event List, improving visibility of data that contains these previously invisible characters.

  • GraphQL API

    • The GraphQL field metadataEndpointUrl has been added to the SamlIdentityProvider output type in the GraphQL API. This field makes it possible to verify whether the GraphQL field metadataEndpointUrl is set correctly after creating or updating a SAML Identity Provider.

Fixed in this release

  • Security

    • Fixed an issue where a race condition caused the ability for permission assignments to be created for groups that had already been deleted.

  • Storage

    • Fixed an issue where in rare cases, events would be serialized into blocks incorrectly, leading to one or more fields becoming unreadable.

  • Functions

    • Fixed an issue with the correlate() function, where using the parameter jitterTolerance in conjunction with the sequence parameter being set to true could cause events falling within the jitter tolerance window but slightly out of timestamp order to be incorrectly excluded from results.

      correlate() now also supports jitterTolerance together with sequenceBy, provided the first field in sequenceBy is @timestamp or @ingesttimestamp. Previously, jitterTolerance could only be used with default sequencing. The jitter tolerance is applied to the first timestamp field, and any additional sequenceBy fields act as tiebreakers.

    • Fixed an issue with the correlate() function, where selective scanning would incorrectly influence the decision process for pipeline actions in cases where no data was available. Queries with one or more pipelines that contain zero matches in their segments will now finish much more quickly.

Known Issues

  • Storage

    • For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (that is, the storage usage on the primary disk is halfway between PRIMARY_STORAGE_PERCENTAGE and PRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".

      This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.

Improvement

  • Queries

    • The fields organizationId and userId have been added to the query ended logs generated on query workers when part of a query completes.

  • Fleet Management

    • The humio-fleet system repository is now created by default, both for newly created organizations and for existing organizations.

      Previously, this repository was only created on demand the first time Fleet Management ingested data from a log shipper, meaning organizations that did not use Fleet Management never had it. As a result of this change, a humio-fleet repository will appear in every organization regardless of whether Fleet Management is in use. The repository retains data for 30 days by default.

  • Metrics and Monitoring

    • Added the query and live-reduce thread pools to the thread-pool-queue-size metric.