Splunk® SOAR (On-premises)

Release Notes

Acrobat logo Download manual as PDF


The classic playbook editor will be deprecated soon. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Known issues for

Release 5.2.1

Date filed Issue number Description
2023-11-29 PSAAS-15638 Paginating REST APIs without sorting may give duplicate results across pages. Also affects phantom.get_tasks() and phantom.get_notes() playbook APIs, when containers have >10 tasks or >10 notes, respectively

Workaround:
If using the REST API directly, add a sort parameter to the URL: 
https://example-soar.com/rest/resource?page=X&sort=id

If using the phantom.get_tasks() or phantom.get_notes() playbook APIs, you can use phantom.requests instead to query the REST API directly: 


# Instead of phantom.get_tasks(), use
url = phantom.build_phantom_rest_url('workbook_task')



# Or, instead of phantom.get_notes(), use
url = phantom.build_phantom_rest_url('note')

params = {'_filter_container': container['id'], 'page_size': 0, 'sort': 'id'}
response = phantom.requests.get(url, params=params)
tasks = response.json()['data']

2023-07-19 PSAAS-14125 Users without the "Administrator" role cannot delete an Automation Broker, even when given appropriate permissions.

Workaround:
Use an account with the Administrator role to delete any Splunk SOAR Automation Brokers as needed.
2023-03-07 PSAAS-12588 Upgrade : step InstallCustomerPipPackages fails on air gapped instance

Workaround:
Give air gapped instance access to the internet
2022-09-27 PSAAS-10421 Massive volume of PhUser last_login updates causing DB bottlenecks
2022-09-26 PSAAS-10411 ibackup stores the entire PostgreSQL database in every incremental backup.
2022-05-31 PSAAS-9037 NGINX and PGBouncer logs aren't set to rotate in unprivileged instances
2022-05-25 PSAAS-9013 glusterfs mount crashes with segmentation fault on SOAR cluster node, results in "Transport is not connected" error

Workaround:
To resolve the error, follow these steps:
  1. On the gluster server, disable the open-behind feature for any affected volumes by running this command: gluster volume set <volname> open-behind off
  2. On the cluster nodes where the glusterfs client crashed, unmount and remount the affected share by running these commands in sequence (you must run these commands as a root user if you are on a privileged cluster):
    1. umount <path_to_share>
    2. mount -a
2022-05-22 PSAAS-8960, PSAAS-7396 Missing '/' ${PHANTOM_HOME}DIR/etc/enable for offline installers

Workaround:
This issue causes a warning message to appear. To resolve the warning, follow these steps:
  1. Extract the installation file, but don't run the installation command. For specific instructions, see [1].
  2. Open the phantom_offline_setup_rhel.sh file.
  3. In the file, find $\{PHANTOM_HOME}DIR/etc/enable, which is located on lines 518–519.
  4. Edit the file to remove DIR from $\{PHANTOM_HOME}DIR/etc/enable.
  5. Save the changes.
  6. Run the installation command: ./phantom_offline_setup_<OS>.sh install.

If you've already run the installation command, you can workaround this issue by ensuring this line is present in the /opt/phantom/etc/enable file: export PHANTOM_FIPS_MODE=0.

2022-05-03 PSAAS-8792 phenv db_maintenance cannot run data retention for containers due to an AttributeError

Workaround:
There is no known workaround for this issue at this time.
2022-04-29 PSAAS-8778 Python 3 playbook converter fails for some misformatted legacy custom functions

Workaround:
none
2022-04-29 PSAAS-8776 Investigation page: Widget layout and visibility is not saved via "manage widgets"

Workaround:
none known at this time
2022-04-14 PSAAS-8617 Ingestion failures

Workaround:
If ingestion stops in your instance, restart the ingestd service. Go to *Administration* > *System Health* > *System Health*. Find the instestd service in the list and then select the *Restart* button.
2022-04-06 PSAAS-8525 Automation playbook vs Input playbook inconsistencies when filtering

Workaround:
None.
2022-04-06 PSAAS-8595 indicator_artifact endpoint with indicator_value parameter shows unexpected results for modified indicators

Workaround:
No workaround found
2022-03-22 PSAAS-8185 FIPS - Failed to import new repo with SSH
2022-03-10 PSAAS-7956 VPE: Block with name of "artifacts" confuses generated code resulting in incorrect and unexpected output
2022-03-03 PSAAS-7843 Update REST API ENDPOINT indicator_by_value to use timerange parameter

Workaround:
Work Around number 1

Use /rest/indicator?timerange=today&filter_value_icontains="google.com" instead.

Work Around number 2

You can remove the __icontains and use only _filter_value="google.com".

2022-02-25 PSAAS-7738 VPE 2: Action block with built-in format causes overlapping fields with parameters and becomes uneditable
2022-02-25 PSAAS-7737 VPE 2.0 - true and True produce different types in code generation
2022-02-22 PSAAS-7681 VPE 2.0: Saving an existing playbook should default to the repo of the playbook
2022-02-22 PSAAS-7682 VPE2: Action block panel lists apps and actions with Z-A sort order
2022-02-18 PSAAS-7649 uwsgi stops handling requests with SIGNAL QUEUE IS FULL error

Workaround:
Restart uwsgi
2022-02-15 PSAAS-7633 C++ log truncation can result in bad json for very long messages
2022-02-11 PSAAS-7604, PSAAS-9147 Deleting Source Control repo doesn't remove the playbooks

Workaround:
If you have command line access:
  1. Verify that the repo is marked as disabled=t in the scm table. 
    (SELECT * FROM scm);
  2. Verify that associated playbooks are marked as disabled=t and disabled=f in the playbook table 
    (SELECT * FROM playbook WHERE id=<scm_id>);
  3. Mark all associated playbooks as disabled=t 
    (UPDATE playbook SET disabled=t WHERE scm_id=<scm_id>);

2022-02-10 PSAAS-7592, PSAAS-12265 list inputs to custom function are no longer converted to lists
2022-02-10 PSAAS-7593 Multiple indicators for same value
2022-02-09 PSAAS-7568 VPE 2.0: "if" statement in action block code is missing in version 5.2.1 compared to version 5.1.0
2022-02-09 PSAAS-7574 VPE 2.0: Imported 5.0 playbook does not recognize the asset used and asset dropdown is empty
2022-02-08 PSAAS-7557 VPE2: Action Parameter order is not honored
2022-02-03 PSAAS-7495 Classic VPE - Asset import wizard no longer shows valid asset

Workaround:
To prevent this issue, skip the asset configuration wizard when you import a playbook. You can fix the assets by editing the playbook, then clicking on the blocks with that show misconfigured assets.
2022-02-03 PSAAS-7494 VPE 2.0 - Importing playbook created in previous releases deletes action parameters

Workaround:
To correct for this issue:
  1. Open the playbook and check for the names of any apps and assets used by the playbook in the Code Editor.
  2. Go to Home > Apps then create new assets for the corresponding apps with the names used in the playbook from the previous step.
  3. After creating the assets, open the playbook again, and verify that the action blocks show as configured.
2022-01-26 PSAAS-7383 After upgrade, there is benign error "Asset name already in use" in phantom_install_log
2022-01-20 PSAAS-7307 Cloned Assets after upgrade will have secrets encrypted incorrectly

Workaround:
After upgrade, for any cloned assets, you will need to manually re-enter any passwords or secret environment variables.

Of the Splunk certified apps this will only happen for a shared asset on the WMI and LDAP apps.

2022-01-20 PSAAS-7305 In FIPS mode, when multiple versions of an app are installed, app version could not be switched from the version selector on the Apps page.

Workaround:
You can switch between app versions by reinstalling the version of the app you want to use with the "Install App" button on the apps page. This will work even if the desired app version is already installed on the system.
2021-12-17 PSAAS-7028 VPE 2.0 - UI issue causing dot separation in playbooks which worsens over time
2021-12-06 PSAAS-6865 Playbook Listing page crashes in Chrome & Edge browsers when filtering

Workaround:
Use firefox or safari.
2021-11-19 PSAAS-6653 VPE 2: Under certain circumstances, playbook editor will display blank screen

Workaround:
no workaround applicable
2021-09-30 PSAAS-5408 /rest/widget_data/top_playbooks_actions endpoint returns invalid playbook_name field with tags

Workaround:
Parse the result manually to exclude the span tags around the playbook name.
2021-09-17 PSAAS-3594 Upgrades to 5.0.1 may show errors with "role_id not found" which are benign and can be ignored
2021-08-16 PSAAS-4107 VPE 2: Prompt does not allow automation user and yet is selectable
2021-08-13 PSAAS-4106 VPE 2.0 - Keyboard shortcuts don't work with code focused
Last modified on 04 April, 2024
PREVIOUS
Welcome to 5.2.1 		  NEXT
Fixed issues for

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.2.1

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters