Falcon LogScale 1.249.0 GA (2026-07-14)

Version?Type?Release Date?Availability?End of SupportSecurity UpdatesUpgrades From?Downgrades To?Config. Changes?
1.249.0GA2026-07-14

Cloud

Next LTSNo1.177.01.177.0No

Hide file download links

Show file download links

Bug fixes and updates

Advance Warning

The following items are due to change in a future release.

  • Installation and Deployment

    • We are decommissioning the the Nexus server used to host Java-based LogScale installation binaries, with a tentative decommission date of August 14, 2026. To download Java-based LogScale installers, please send a request to logscalesuccess@crowdstrike.com to obtain a username & API token, which are required to download from our new distribution platform.

Removed

Items that have been removed as of this release.

Storage

  • The feature flag NewFileTransferQueuing has been removed. The feature it controlled is now always enabled.

    The following metrics have been removed due to code changes rendering them obsolete:

    • bucket-storage-request-upload

    • handle-bucket-upload-tasks-latency

    • handle-bucket-download-tasks-latency

    • start-new-bucket-tasks-latency

    • bucket-transfer-manager-iteration-time

    • bucket-storage-download-requests-cap-size-hits

    The following metrics have been removed and replaced by other metrics:

    • bucket-storage-pending-work has been removed, and replaced by bucket-storage-currently-submitted-segment-uploads, which is labeled by whether the target bucket is the primary or secondary bucket.

    • bucket-storage-download-queue-free-slots has been removed and replaced by bucket-storage-download-free-slots.

    • bucket-storage-segment-downloads-in-progress has been removed and replaced by bucket-storage-in-progress-downloads.

Deprecation

Items that have been deprecated and may be removed in a future release.

  • The userId parameter for the updateDashboardToken GraphQL mutation has been deprecated and will be removed in version 1.273.

Behavior Changes

Scripts or environment which make use of these tools should be checked and updated for the new configuration:

  • GraphQL API

    • After an organization is soft deleted using the removeOrganization mutation, you can now only call the following mutations on that organization:

      Previously, you could call any mutation on a soft-deleted organization.

New features and improvements

  • GraphQL API

    • The GraphQL mutation searchDataDistribution has been added on a preview basis. This new mutation returns segment data distribution statistics for a repository or view within a time range.

      The query provides:

      • Time-bucketed segment counts

      • A per-datasource breakdown

      • Tag distribution with scan cost percentages

      • Separate entries for join() and defineTable() subqueries

      This is useful for understanding data layout and estimating query scan costs before running expensive searches.

  • Packages

    • Scheduled PDF reports are now supported in packages, and can be exported as YAML files and imported from YAML files.

      The GraphQL API now exposes a yamlTemplate field on the ScheduledReport output type. Three new mutations have also been added:

      When a scheduled report references a dashboard from another package and both are exported together into a new package, the dashboard reference in the scheduled report template is automatically rewritten to point to the new package (e.g. old/package:my-dashboard becomes new/package:my-dashboard).

Fixed in this release

  • Ingestion

    • Fixed an issue where ingest feeds with a backlog would experience a slower catch up process than expected due to a failure to increase polling concurrency.

  • Queries

    • Fixed an issue where recently created multi-cluster search queries waiting for dependencies would sometimes stall during handover at node restart. These queries are now handed over to a new node.

    • Fixed an issue where modifications to the @id field could cause queries to crash during sorting when the @timestamp field was not available. This was triggered by using the head() function after collecting multiple @id values into a single field using the collect() function. Events with modified @id values are now sorted after events with unmodified values.

Known Issues

  • Storage

    • For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (that is, the storage usage on the primary disk is halfway between PRIMARY_STORAGE_PERCENTAGE and PRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".

      This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.

Improvement

  • Storage

    • The field fileId has been added to bucket upload and download logs related to lookup files. This makes it easier to correlate log lines with relevant entities in the global database. The fields viewId and orgId have also been added to bucket download logs when handling lookup files.

  • API

    • The endpoint /api/v1/uploaded-files/unset-uploaded-file-bucketId has a new optional Boolean parameter, includeDeleted. This allows users to unset bucket IDs for files that are marked as deleted. The parameter is set to false by default, and is backwards compatible.

    • The status codes when unsetting a bucket on a nonexistent file entity have been updated for the endpoint /api/v1/uploaded-files/unset-uploaded-file-bucketId. The endpoint now returns the following codes:

      • 204 No Content - The bucket ID has been successfully unset.

      • 404 Not Found - The file does not exist on the host.

      • 404 Not Found - The file is deleted and the value of the parameter includeDeleted is false.

  • Ingestion

    • The status of MaxMind databases has been added to the ingest status endpoint as an advisory precondition.

    • JSON files used as lookup files that do not adhere to structural requirements are now rejected during the upload process. JSON files are now required to be in one of two formats:

      • An object whose values are all objects (e.g. { "key1": { "col1": "val1" }, "key2": { "col2": "val2" } })

      • A non-empty array of objects (e.g. [ { "col1": "val1" }, { "col2": "val2" } ])

      Previously, JSON files with unsupported structures would result in an empty lookup file, with the contents silently discarded.

  • Queries

    • Improvements have been made to Language Server Protocol (LSP) completion suggestions, reducing the number of incorrect suggestions provided in certain contexts. Specifically, improvements have been made when providing suggestions inside array function arguments.

  • Fleet Management

    • The Fleet Management configuration editor now validates the collector configuration YAML before publishing. If a configuration contains invalid YAML, publishing and testing are blocked and an error is shown.

      Note

      The configuration editor only validates YAML syntax.

  • Metrics and Monitoring

    • Non-sensitive logging for thread groups has now been extended to include additional Linux Input/Output (I/O) metrics.

      The following page faults from /proc/pid/stat are now included:

      • Minor Fault - minflt

      • Major Fault - majflt

      All I/O counters from /proc/pid/io are now included:

      • Read Characters - rchar

      • Wide Characters - wchar

      • Read System Calls - syscr

      • Write System Calls - syscw

      • Number of Bytes Read from Physical Storage - read_bytes

      • Number of Bytes Sent to Storage Layer - write_bytes

      • Number of Canceled Bytes Originally Marked for Disk Storage - cancelled_write_bytes

      They are logged per thread group as existing metrics.

  • Auditing and Monitoring

    • Customer IDs (CIDs) have been added to log and metric output, making it easier to correlate log lines and metrics with a specific customer. The CID is included wherever the organization is already identified (typically alongside the existing orgId field), and is only present when the organization has a CID set - organizations without one are unaffected.

      The cid field has been added to:

      • Audit logs - All audit actors that carry organization information, such as organization users, ephemeral users, log collectors, and various API token actors.

      • Activity and system logs - System log line and per-repo/per-tag usage summary log lines.

      • Usage measurements - A cid field has been added on measurement events.

      • Log Collector metrics - On metrics ingested from log collectors via Fleet Management, a cid tag and a new orgId tag have been added.

      For audit logs specifically, optional fields with no value are now omitted entirely instead of being serialized as "field":null. This affects the cid field and existing optional fields such as prefilter, userId, and for the humio-metrics type SystemActor specifically, organizationId. Anything consuming these audit fields should treat a missing field as a null value.

    • Query origin metadata has been added to audit logs. Each query now includes the following fields:

      • origin - the page that initiated the query (e.g. search-page or dashboard).

      • area - the specific UI area, if applicable (e.g. fields-panel or widget-id-1234).

      • dashboard-id - the dashboard ID, for dashboard pages.

      These fields are sent via extraLogFields and are available in the humio-audit repository as customKey.origin, customKey.origin.area, and customKey.origin.dashboard-id respectively.

      Additionally, the Dashboards page and EntitiesSearch API now support filtering dashboards by ID, allowing users to locate a dashboard directly from the customKey.origin.dashboard-id audit field. Unlike other dashboard filters, this matches exact IDs rather than performing a substring search.