Splunk® Phantom (Legacy)

Release Notes

This documentation does not apply to the most recent version of Splunk® Phantom (Legacy). For documentation on the most recent version, go to the latest release.

Known issues in this release of Splunk Phantom

The following are issues and workarounds for this version of Splunk Phantom.


Splunk Phantom 4.9.39220

There are currently no known issues for this release of Splunk Phantom.

Splunk Phantom 4.9.37880

Date filed Issue number Description
2021-03-25 PPS-25634, PSAAS-2292, PORT-484 "Error" in web interface and "ERROR: App install failed" in wsgi.log when updating Apps on a release of Splunk Phantom with a lower minor version number than the final release for that version.

Workaround:
If you receive this error, take the following steps:

1. Upgrade to the latest Splunk Phantom platform release. Use the --without-apps option. See:

2. Once the Splunk Phantom platform upgrade is complete, upgrade your installed Apps upgraded using the Main Menu > Apps, then clicking the APP UPDATES button.

2021-01-18 PPS-25333 Search index 'phantom_app_run' is indexing duplicate records.
2021-01-12 PPS-25300 Large number of prompt notifications could reach database connection limit

Workaround:
unknown
2020-12-11 PPS-25216 When using the "Related Event" item from the artifact info screen in Investigation, produces error 'indicator_value 404 Not found' then displays a never-ending 'loading history' message
2020-09-09 PPS-24480 Scheduled reports do not run
2020-03-27 PPS-22080 Using special characters in the postgres replicator role password causes warm standby setup to fail.

Splunk Phantom 4.9.35731

Date filed Issue number Description
2021-03-25 PPS-25634, PPS-25632, PORT-484 "Error" in web interface and "ERROR: App install failed" in wsgi.log when updating Apps on a release of Splunk Phantom with a lower minor version number than the final release for that version.

Workaround:
If you receive this error, take the following steps:

1. Upgrade to the latest Splunk Phantom platform release. Use the --without-apps option. See:

2. Once the Splunk Phantom platform upgrade is complete, upgrade your installed Apps upgraded using the Main Menu > Apps, then clicking the APP UPDATES button.

2021-01-12 PPS-25300 Large number of prompt notifications could reach database connection limit

Workaround:
unknown
2020-11-26 PPS-25108 Editing/saving an artifact with special characters in a cef field name in the UI does not match the REST API.

Workaround:
it is possible to update the artifacts via rest, but that process doesn't seem like it would be practical for most customers.
2020-11-17 PPS-25028 deleting containers causes embedded splunkd to consume excessive cpu and get backlogged, and add_to_searchindex to consume excessive memory
2020-11-11 PPS-24981 Field create_time in Phantom is used as _time during Splunk indexing, when update_time is more appropriate
2020-10-01 PPS-24683 openID fails to allow login after 4.9 upgrade due to UnicodeDecodeError
2020-10-01 PPS-24681 Playbooks that have custom functions that have been deleted may fail to load the editor
2020-09-18 PPS-24574, PPS-24577 After upgrade to ver 4.9, editing a playbook created in ver 4.8 with ampersands in the playbook name converts the ampersand to html entity "&" in phantom.playbook() call
2020-09-17 PPS-24534 Script create_output.py does not produce new app json
2020-08-27 PPS-24358 Event view rendering fails if it is created with a custom field set to 'None'
2020-08-14 PPS-24242 Add 'txt' to custom list's _output_format options.
2020-07-31 PPS-24119 SAML: UI and wsgi.log indicate "Missing entity_id specification" when attempting SAML Okta login after upgrading from ver 4.8 to ver 4.9
2020-03-27 PPS-22080 Using special characters in the postgres replicator role password causes warm standby setup to fail.
2020-02-28 PPS-21718 When a user was required to authenticate using SAML2 the user was always taken to the dashboard instead of the intended URI.

Splunk Phantom 4.9.33153

Date filed Issue number Description
2021-03-25 PPS-25634, PSAAS-2292, PORT-484 "Error" in web interface and "ERROR: App install failed" in wsgi.log when updating Apps on a release of Splunk Phantom with a lower minor version number than the final release for that version.

Workaround:
If you receive this error, take the following steps:

1. Upgrade to the latest Splunk Phantom platform release. Use the --without-apps option. See:

2. Once the Splunk Phantom platform upgrade is complete, upgrade your installed Apps upgraded using the Main Menu > Apps, then clicking the APP UPDATES button.

2021-01-18 PPS-25333 Search index 'phantom_app_run' is indexing duplicate records.
2021-01-12 PPS-25300 Large number of prompt notifications could reach database connection limit

Workaround:
unknown
2020-11-30 PPS-25111 Creating an artifacts with a cef_name that contains a space crashes JS when viewing the artifact.
2020-08-27 PPS-24362 able to view and edit works books even without "system settings" permission
2020-08-20 PPS-24285 Child playbook or Custom Function error can cause parent playbook to hang
2020-07-28 PPS-24100 The phantom.update API mutates the container object with incompatible formats and key/value pairs
2020-07-20 PPS-23962 The function signature of VPE-disabled blocks do not automatically update to accept the custom_function keyword arguments
2020-07-17 PPS-23945 VPE playbook block is incorrectly named after upgrade to version 4.9
2020-07-17 PPS-23936 Splunk Phantom instances upgraded from a 3.0 installation break during upgrade path to the 4.9 release.

Workaround:
Delete the file /tmp/phantomOvaUpgrade before running the upgrade script.
2020-06-30 PPS-23766 Wrong Event Opens from AQ

Workaround:
In Investigation, keep the default tab settings and don't hide or rearrange them from the system default tab settings. 
2020-06-29 PPS-23761 Pylint validation for custom functions may cause validation errors due to python version mismatch.

Workaround:
Limit or disable pylint validation:
  • To avoid validation problems for items that are valid in python 2.7 but are not valid for python 3, add # pylint: disable=all anywhere in the code to ignore all validation.
  • To ignore specific lines of code, users can add a comment at the end of the line such as #pylint: disable={pylint error} to ignore a specific linting error.
  • Some syntax differences between python 2.7 and 3 cannot be ignored. Those errors need to be corrected or edited in the Custom Function using draft mode.
2020-06-25 PPS-23726, PPS-23709 Phantom 4.9 - Restore fails to start phantom after completion if there are postgresql.conf changes at the source instance

Workaround:
Copy the changes or modifications from the source instance from /opt/phantom/data/db/postgresql.conf where the backup was done and paste them in /opt/phantom/data/db/postgresql.conf. Restart Splunk Phantom after the changes are saved.
2020-06-24 PPS-23703 Restoring cluster backup multiple times on standalone does not work

Workaround:
Drop and recreate the local db before doing the second restore.

phenv python /opt/phantom/bin/recreate_local_db.pyc --no-prompt

2020-06-23 PPS-23683 More menu dropdown for multiple selected artifacts is missing download JSON option
2020-06-12 PPS-23436 update_certificates status shows double information for nginx
2020-06-11 PPS-23415 HUD card data text is not centered.
2020-06-09 PPS-23339 Case report does not show event status
2020-06-01 PPS-23196 The prefix feature is not supported on a cloud instance of Splunk
2020-05-28 PPS-23155 Asset & playbook indexes are not updated when data is deleted with remote search
2020-04-14 PPS-22378 Artifact note title is not refreshed in timeline Investigation page after being modified
2020-04-02 PPS-22181 force-pg-stop-backup option does not stop backup

Workaround:
Run select pg_stop_backup(); in the postgres shell instead of via the script.

This script option has been deprecated.


2020-04-01 PPS-22151 Playbook and custom function .tgz files can be imported in the wrong listing page
2020-01-29 PPS-21286 Backup & Restore: Unprivileged cluster restoration onto unprivileged standalone instance and vice versa does not work
2019-05-13 PPS-17004 Hashicorp vault token saved incorrectly

Workaround:
Enter the token as the LAST field, or re-enter the token when making other changes and save with that in the text box.
Last modified on 13 August, 2022
Welcome to Splunk Phantom 4.9   Fixed issues in this release of Splunk Phantom

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.9


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters