Splunk® SOAR (On-premises)

Release Notes

The classic playbook editor will be deprecated soon. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

Welcome to 5.3.1

If you are new to , read About in the Use manual to learn how you can use for security automation.

What's new in 5.3.1

This release of includes the following enhancements.

Feature Description
Telemetry improvements To help improve Splunk SOAR (On-premises), Splunk now collects playbook names, playbook descriptions, and custom-function names in telemetry.

Caution: Due to this change, don't include any personally identifiable or sensitive information in playbook names, playbook descriptions, and custom-function names.

Installer and upgrader improvements Splunk SOAR (On-premises) features many improvements to its installer and upgrader. For detailed information, see the New installation and upgrade processes section. Improvements include the following:
  • For unprivileged installations, an automated script prepares the system for installation, eliminating the need to complete many manual steps required to install previous versions of Splunk SOAR (On-premises).
  • The installer prompts the user to confirm whether they want to install Splunk SOAR (On-premises) before performing the installation.
  • Spinners appear to indicate that the installer is running.
  • Additional configuration is now available for many files in Splunk SOAR (On-premises) directories.
  • Installation methods have been simplified to unprivileged and privileged. Those methods continue to satisfy requirements for systems with limited internet access.
  • Failed installations create a continuation file, allowing for continued installations from the moment of failure.

Caution: Python 3.9 impact on apps: To help ensure apps are compatible with the Python 3.9 upgrade, use the --with-apps argument when running the upgrade script.

Caution: In addition to releasing an improved installer, the OVA build distribution for this release has been temporarily halted. Whether to reinstate the OVA build distribution in upcoming releases is under evaluation.

Note: As of version 5.3.1, RPM files are no longer available for Splunk SOAR (On-premises) installations. Follow the updated instructions for privileged and unprivileged installations. Unique tarballs are available for privileged and unprivileged installations.

Python upgrade Python has been upgraded from version 3.6 to 3.9. For detailed information, see the Python 3 upgrade section.

Caution: Python 3.9 impact on apps: You must upgrade apps to be compatible with with Python 3.9. If you don't, those apps might not run in the Python 3.9 environment.

Caution: Python 3.9 impact on apps: If you use the terms "async" or "await" as names of variables, functions, or other pieces of code in your playbooks, a SyntaxError results. Rename anything named "async" or "await" in your playbooks. Existing Python 3.6 playbooks continue to work in the new Python 3.9 environment.

Note: As part of the Python upgrade, pylint has also been updated, and its import checks have been disabled because they were causing false positive ImportErrors.

SELinux compatibility Unprivileged instances of Splunk SOAR (On-premises) support SELinux.
Single-line JSON for install logs In previous versions of Splunk SOAR (On-premises), install logs were in pretty-printed JSON format. Install logs now display in single-line JSON format.
jq bundle jq is now bundled with Splunk SOAR (On-premises). jq is a command-line JSON processor that allows you to manipulate structured data.
Disconnected my.phantom.us All apps in Splunk SOAR (On-premises) now point to Splunkbase. The toggle that allows you switch the connection between Splunkbase and my.phantom.us has been removed.

New installation and upgrade processes

As of this release, features new methods for installing and upgrading.

The new installation and upgrade process includes changes to the directory structure for Splunk SOAR (On-premises). To determine whether the new structure requires remediation, ensuring your apps and playbooks run correctly, reference the tables in the Remediate Splunk SOAR (On-premises) directory changes topic in the Install and Upgrade Splunk SOAR (On-premises) manual.

Python 3.9 impact on apps: To help ensure apps are compatible with the Python 3.9 upgrade, use the --with-apps argument when running the upgrade script.

In addition to releasing an improved installer, the OVA build distribution for this release has been temporarily halted. Whether to reinstate the OVA build distribution in upcoming releases is under evaluation.

As of version 5.3.1, RPM files are no longer available for Splunk SOAR (On-premises) installations. Follow the updated instructions for privileged and unprivileged installations. Unique tarballs are available for privileged and unprivileged installations.

Planning to install ?

Begin your installation by reviewing the following documentation:

Planning to upgrade to from an earlier version?

If you plan to upgrade to this version from an earlier version of , read Prepare your deployment for upgrade in the Install and Upgrade manual.

requires incremental upgrades from earlier versions. Do not skip any required versions when upgrading . For example, if you wish to upgrade to Splunk SOAR 5.3.1 from Splunk SOAR 5.2.1, you will first need to upgrade Splunk SOAR to 5.2.1 before upgrading to Splunk SOAR 5.3.1.

Python 3 upgrade

The current versions of Splunk SOAR (Cloud) and Splunk SOAR (On-premises) now use Python 3.9 because the last version of Python used in the SOAR products is no longer supported by the Python Software Foundation. This upgrade ensures that the SOAR products can continue to rely on community support and maintain compatibility with many third-party projects that use Python.

In practice, what the change means is that all apps and playbooks now run using Python 3.9 by default. However, if you use an older automation broker, the SOAR products still use Python 3.6.

Python 3.9 impact on apps: You must upgrade apps to be compatible with with Python 3.9. If you don't, those apps might not run in the Python 3.9 environment.

Python 3.9 impact on apps: If you use the terms "async" or "await" as names of variables, functions, or other pieces of code in your playbooks, a SyntaxError results. Rename anything named "async" or "await" in your playbooks. Existing Python 3.6 playbooks continue to work in the new Python 3.9 environment.

As part of the Python upgrade, pylint has also been updated, and its import checks have been disabled because they were causing false positive ImportErrors.

Last modified on 20 April, 2022
  Known issues for

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.3.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters