Splunk® Phantom (Legacy)

Release Notes

This documentation does not apply to the most recent version of Splunk® Phantom (Legacy). For documentation on the most recent version, go to the latest release.

Known issues in this release of Splunk Phantom

The following are issues and workarounds for this version of Splunk Phantom.


Date filed Issue number Description
2020-08-27 PPS-24362 able to view and edit works books even without "system settings" permission
2020-07-28 PPS-24100 The phantom.update API mutates the container object with incompatible formats and key/value pairs
2020-07-17 PPS-23936 Splunk Phantom instances upgraded from a 3.0 installation break during upgrade path to the 4.9 release.

Workaround:
Delete the file /tmp/phantomOvaUpgrade before running the upgrade script.
2020-06-25 PPS-23726, PPS-23709 Phantom 4.9 - Restore fails to start phantom after completion if there are postgresql.conf changes at the source instance

Workaround:
Copy the changes or modifications from the source instance from /opt/phantom/data/db/postgresql.conf where the backup was done and paste them in /opt/phantom/data/db/postgresql.conf. Restart Splunk Phantom after the changes are saved.
2020-06-24 PPS-23693 Actions fail intermittently on unprivileged systems when truncating log messages to 4096 bytes
2020-05-04 PPS-22747 Editing approvers for an asset whose previous owner(s) have been deleted fails with "requested item not found"

Workaround:
Workaround is to manually send a REST POST to /rest/asset/<id> to clear out the asset's existing approvers:

{ "primary_owners": [], "secondary_owners": [], "primary_roles": [], "secondary_roles": []}

2020-04-30 PPS-22689, PPS-18353 Warm Standby: There are permission errors in rsync logs

Workaround:
on the primary: modify the cron jobs to connect as root

on the standby: - allow root to connect via ssh. - ensure the public ssh key used on the primary is in root's authorized_keys file on the standby

2020-03-17 PPS-21953 Data type is not displayed correctly when adding a CEF with multiple data types using the REST API
2020-03-17 PPS-21945 Warm Standby: Temporary database gets overwritten on setup of standby

Workaround:
use setup_warm_standby's "-l" option to stored the recovery copy of the database in a directory that isn't rsync'ed from the primary.

- determine the size of the PHANTOM_HOME/data/db directory

- find a directory on the standby with more than that amount of space; somewhere outside of /opt/phantom

- use the "-l" option to point to that directory

2020-01-30 PPS-21308 Phantom /rest/notification_summary requests generate extra warnings about datetime format.
2020-01-30 PPS-21307 After upgrading Splunk Phantom, you may see 503 errors when visiting server node, or connection refused errors when visiting Splunk Phantom nodes.

Workaround:
Perform the following tasks on each Splunk Phantom node:
  1. Go to the /etc/nginx/conf.d directory.
  2. Backup the default.conf file.
  3. Rename the default.conf.rpmsave file to default.conf.
  4. Restart nginx: 
    systemctl restart nginx


2020-01-29 PPS-21286 Backup & Restore: Unprivileged cluster restoration onto unprivileged standalone instance and vice versa does not work
2020-01-28 PPS-21206 The extdb_backup_bootstrap script fails to restart PostgreSQL after running the first time.

Workaround:
Use the pg_ctl command to restart instead of systemctl.
2020-01-23 PPS-21133 MacOS Catalina Certificate Error After Upgrade

Workaround:
Run the following command to force a new certificate: 
/opt/phantom/bin/phenv python2.7 /opt/phantom/bin/initialize.py --set-https-cert --force
2019-12-16 PPS-20724 Backup & Restore: Restoring on cluster instance shows warning message "No nodes were enabled" that may be irrelevant
2019-09-30 PPS-19381 SEARCH: For Phantom clusters with distributed Splunk Enterprise deployments, Playbook and Custom Lists indexes are not searchable after upgrade from Phantom 4.6 to 4.8.

Workaround:
From Main Menu > Administration > Administration Settings > Search Settings, use the Reindex Search Data button, after selecting Playbooks from the drop-down menu.
2019-03-12 PPS-15941, MCSOAR-2033 Playbook API: phantom.condition rounds literal floating point values when comparing against values extracted from artifact datapaths
Last modified on 28 January, 2021
Welcome to Splunk Phantom 4.8   Fixed issues in this release of Splunk Phantom

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters