Falcon LogScale 1.249.0 GA (2026-07-14)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Downgrades To? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.249.0 | GA | 2026-07-14 | Cloud | Next LTS | No | 1.177.0 | 1.177.0 | No |
Hide file download links
Download
Use docker pull humio/humio-core:1.249.0 to download the latest version
Bug fixes and updates
Advance Warning
The following items are due to change in a future release.
Installation and Deployment
We are decommissioning the the Nexus server used to host Java-based LogScale installation binaries, with a tentative decommission date of August 14, 2026. To download Java-based LogScale installers, please send a request to logscalesuccess@crowdstrike.com to obtain a username & API token, which are required to download from our new distribution platform.
Removed
Items that have been removed as of this release.
Storage
The feature flag
NewFileTransferQueuinghas been removed. The feature it controlled is now always enabled.The following metrics have been removed due to code changes rendering them obsolete:
bucket-storage-request-upload
handle-bucket-upload-tasks-latency
handle-bucket-download-tasks-latency
start-new-bucket-tasks-latency
bucket-transfer-manager-iteration-time
bucket-storage-download-requests-cap-size-hits
The following metrics have been removed and replaced by other metrics:
bucket-storage-pending-work has been removed, and replaced by bucket-storage-currently-submitted-segment-uploads, which is labeled by whether the target bucket is the primary or secondary bucket.
bucket-storage-download-queue-free-slots has been removed and replaced by bucket-storage-download-free-slots.
bucket-storage-segment-downloads-in-progress has been removed and replaced by bucket-storage-in-progress-downloads.
Deprecation
Items that have been deprecated and may be removed in a future release.
The userId parameter for the updateDashboardToken GraphQL mutation has been deprecated and will be removed in version 1.273.
Behavior Changes
Scripts or environment which make use of these tools should be checked and updated for the new configuration:
GraphQL API
After an organization is soft deleted using the removeOrganization mutation, you can now only call the following mutations on that organization:
recoverOrganization — Restores the organization to visible state.
rollbackOrganization — Fully deletes the organization under certain conditions and permissions.
Previously, you could call any mutation on a soft-deleted organization.
New features and improvements
GraphQL API
The GraphQL mutation searchDataDistribution has been added on a preview basis. This new mutation returns segment data distribution statistics for a repository or view within a time range.
The query provides:
Time-bucketed segment counts
A per-datasource breakdown
Tag distribution with scan cost percentages
Separate entries for
join()anddefineTable()subqueries
This is useful for understanding data layout and estimating query scan costs before running expensive searches.
Packages
Scheduled PDF reports are now supported in packages, and can be exported as YAML files and imported from YAML files.
The GraphQL API now exposes a yamlTemplate field on the ScheduledReport output type. Three new mutations have also been added:
When a scheduled report references a dashboard from another package and both are exported together into a new package, the dashboard reference in the scheduled report template is automatically rewritten to point to the new package (e.g.
old/package:my-dashboardbecomesnew/package:my-dashboard).
Fixed in this release
Ingestion
Fixed an issue where ingest feeds with a backlog would experience a slower catch up process than expected due to a failure to increase polling concurrency.
Queries
Fixed an issue where recently created multi-cluster search queries waiting for dependencies would sometimes stall during handover at node restart. These queries are now handed over to a new node.
Fixed an issue where modifications to the @id field could cause queries to crash during sorting when the @timestamp field was not available. This was triggered by using the
head()function after collecting multiple @id values into a single field using thecollect()function. Events with modified @id values are now sorted after events with unmodified values.
Known Issues
Storage
For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (that is, the storage usage on the primary disk is halfway between
PRIMARY_STORAGE_PERCENTAGEandPRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.
Improvement
Storage
The field fileId has been added to bucket upload and download logs related to lookup files. This makes it easier to correlate log lines with relevant entities in the global database. The fields viewId and orgId have also been added to bucket download logs when handling lookup files.
API
The endpoint
/api/v1/uploaded-files/unset-uploaded-file-bucketIdhas a new optional Boolean parameter,includeDeleted. This allows users to unset bucket IDs for files that are marked as deleted. The parameter is set tofalseby default, and is backwards compatible.The status codes when unsetting a bucket on a nonexistent file entity have been updated for the endpoint
/api/v1/uploaded-files/unset-uploaded-file-bucketId. The endpoint now returns the following codes:204 No Content- The bucket ID has been successfully unset.404 Not Found- The file does not exist on the host.404 Not Found- The file is deleted and the value of the parameterincludeDeletedisfalse.
Ingestion
The status of MaxMind databases has been added to the ingest status endpoint as an advisory precondition.
JSON files used as lookup files that do not adhere to structural requirements are now rejected during the upload process. JSON files are now required to be in one of two formats:
An object whose values are all objects (e.g.
{ "key1": { "col1": "val1" }, "key2": { "col2": "val2" } })A non-empty array of objects (e.g.
[ { "col1": "val1" }, { "col2": "val2" } ])
Previously, JSON files with unsupported structures would result in an empty lookup file, with the contents silently discarded.
Queries
Improvements have been made to Language Server Protocol (LSP) completion suggestions, reducing the number of incorrect suggestions provided in certain contexts. Specifically, improvements have been made when providing suggestions inside array function arguments.
Fleet Management
The Fleet Management configuration editor now validates the collector configuration YAML before publishing. If a configuration contains invalid YAML, publishing and testing are blocked and an error is shown.
Note
The configuration editor only validates YAML syntax.
Metrics and Monitoring
Non-sensitive logging for thread groups has now been extended to include additional Linux Input/Output (I/O) metrics.
The following page faults from
/proc/pid/statare now included:Minor Fault -
minfltMajor Fault -
majflt
All I/O counters from
/proc/pid/ioare now included:Read Characters -
rcharWide Characters -
wcharRead System Calls -
syscrWrite System Calls -
syscwNumber of Bytes Read from Physical Storage -
read_bytesNumber of Bytes Sent to Storage Layer -
write_bytesNumber of Canceled Bytes Originally Marked for Disk Storage -
cancelled_write_bytes
They are logged per thread group as existing metrics.
Auditing and Monitoring
Customer IDs (CIDs) have been added to log and metric output, making it easier to correlate log lines and metrics with a specific customer. The CID is included wherever the organization is already identified (typically alongside the existing orgId field), and is only present when the organization has a CID set - organizations without one are unaffected.
The cid field has been added to:
Audit logs - All audit actors that carry organization information, such as organization users, ephemeral users, log collectors, and various API token actors.
Activity and system logs - System log line and per-repo/per-tag usage summary log lines.
Usage measurements - A cid field has been added on measurement events.
Log Collector metrics - On metrics ingested from log collectors via Fleet Management, a cid tag and a new orgId tag have been added.
For audit logs specifically, optional fields with no value are now omitted entirely instead of being serialized as
"field":null. This affects the cid field and existing optional fields such as prefilter, userId, and for thehumio-metricstypeSystemActorspecifically, organizationId. Anything consuming these audit fields should treat a missing field as anullvalue.Query origin metadata has been added to audit logs. Each query now includes the following fields:
origin - the page that initiated the query (e.g.
search-pageordashboard).area - the specific UI area, if applicable (e.g.
fields-panelorwidget-id-1234).dashboard-id - the dashboard ID, for dashboard pages.
These fields are sent via extraLogFields and are available in the humio-audit repository as customKey.origin, customKey.origin.area, and customKey.origin.dashboard-id respectively.
Additionally, the page and
EntitiesSearchAPI now support filtering dashboards by ID, allowing users to locate a dashboard directly from the customKey.origin.dashboard-id audit field. Unlike other dashboard filters, this matches exact IDs rather than performing a substring search.