Splunk® SOAR (On-premises)

Release Notes

As of version 6.4.0, the visual editor for classic playbooks is no longer part of Splunk SOAR. Before upgrading, convert your classic playbooks to modern mode. Your classic playbooks will continue to run and you can view and edit them in the SOAR Python code editor.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

Known issues for

Release 5.3.1

Date filed Issue number Description
2023-11-29 PSAAS-15638 Paginating REST APIs without sorting may give duplicate results across pages. Also affects phantom.get_tasks() and phantom.get_notes() playbook APIs, when containers have >10 tasks or >10 notes, respectively

Workaround:
If using the REST API directly, add a sort parameter to the URL: 
https://example-soar.com/rest/resource?page=X&sort=id

If using the phantom.get_tasks() or phantom.get_notes() playbook APIs, you can use phantom.requests instead to query the REST API directly: 


# Instead of phantom.get_tasks(), use
url = phantom.build_phantom_rest_url('workbook_task')



# Or, instead of phantom.get_notes(), use
url = phantom.build_phantom_rest_url('note')

params = {'_filter_container': container['id'], 'page_size': 0, 'sort': 'id'}
response = phantom.requests.get(url, params=params)
tasks = response.json()['data']

2023-07-19 PSAAS-14125 Users without the "Administrator" role cannot delete an Automation Broker, even when given appropriate permissions.

Workaround:
Use an account with the Administrator role to delete any Splunk SOAR Automation Brokers as needed.
2023-06-26 PSAAS-13898 Splunk SOAR's cron jobs generate output, which fills up mail boxes over time

Workaround:
Empty the Splunk SOAR user's mailbox. For example, if the Splunk SOAR user is phantom, you can empty the mailbox by running
rm /var/mail/phantom

For each of the cron jobs installed during soar installation, edit the soar user's crontab (with "crontab -e") and append the following to the end of each command line: {{> /dev/null 2>&1}}

2023-04-15 PSAAS-13091 SOAR upgrade from 5.2.1 to 5.3.x will fail if a python3 app has been uninstalled
2023-03-22 PSAAS-12766 Cannot Subscribe to more than one scheduled report in UI
2023-02-02 PSAAS-12157 RCA: decided stops processing py3 playbooks
2023-01-24 PSAAS-12004 Playbook processing stops when Python runners time out and not get restarted
2022-11-29 PSAAS-11272 Upgrade: nginx failed to start due to dhparams file being deleted during upgrade

Workaround:
  1. Run phenv python ./bin/initialize.py --set-dhparams
  2. Continue the installation with ./soar-install --continue-from=StartPhantom

2022-11-08 PSAAS-11121 AppUpdate should continue to work with custom apps that have invalid versions

Workaround:
Uninstall the custom apps that are causing the blockage.
  1. To identify those custom apps, run the following script 
    
phenv phantom_shell
apps = App.objects.filter(disabled=False)
for app in apps:
  if not app.known_versions:
    print(app)

print('done looking up custom apps')
  2. Use the AppUpdate wizard to update known app. See Splunk SOAR Connector for a list of apps that you can upgrade with the wizard.
  3. Reinstall those custom apps

Repeat these steps each time you want to upgrade certified apps.

2022-11-03 PSAAS-11049 Search setting failing on test connection.
2022-10-13 PSAAS-10703 Default workbook is reset on upgrade if the original default has been removed
2022-09-26 PSAAS-10411 ibackup stores the entire PostgreSQL database in every incremental backup.
2022-09-07 PSAAS-10107 Status of Case is missing from Report

Workaround:
None known
2022-08-24 PSAAS-9971 BMC Remedy app notification email: Escape character breaks email

Workaround:
Do not append \n to the container name.
2022-08-10 PSAAS-9781 On privileged systems the phantom daemons may be started as the root user after a system reboot.

Workaround:
A crontab entry was incorrectly added by Splunk SOAR (On-premises) to the root user's account. Fix this issue by following these steps:
  1. Use SSH to log into the affected Splunk SOAR (On-premises) instance and become the root user:
    sudo su -
  2. As the root user, edit the crontab with crontab -e
  3. In the editor, delete the line that looks like this:
    @reboot /opt/phantom/bin/start_phantom.sh
  4. Restart Splunk SOAR (On-premises) instance. When the system restarts the processes run as the correct user:
    /opt/phantom/bin/stop_phantom.sh
    /opt/phantom/bin/start_phantom.sh
  5. Finally, make sure that future reboots will start Splunk SOAR (On-premises) properly with /opt/phantom/bin/phsvc enable phantom_watchdogd

2022-06-24 PSAAS-9316 Visual Playbook Editor: A 'false' value in artifact CEF is not evaluated correctly in decision and filter blocks

Workaround:
Use the in operator to evaluate whether a condition is 'true' or 'false', as shown in this example:["artifact:*.cef.cn1", "in", "'false'"]
2022-06-24 PSAAS-9319 Webserver log level setting in admin UI is not respected
2022-06-16 PSAAS-9230 Workflowd daemon crashes if approvals are missing asset ID
2022-06-16 PSAAS-9217 Apps params in VPE 2.0 do not match the order in the app code or app actions

Workaround:
None
2022-06-13 PSAAS-9149 Issues with environment variables when "Secret" is checked

Workaround:
Not available workaround
2022-06-10 PSAAS-9141 Cluster upgrades to 5.3.1 can fail any node when running intialize.py, in populate_users_and_hec_token

Workaround:
On the failed node, skip the Initialize Phantom step of the upgrade process. In every other way, proceed through the upgrade process as normal. (Note, for versions newer than 5.3.1, the Initialize Phantom step is not needed.)
  1. After the soar-install command fails to run, edit the .soar-continue file. On a privileged cluster, change "InitializePhantomOnPrem" to "AddCrontabPriv"; on an unprivileged cluster, change "InitializePhantomOnPrem" to "AddCrontabUnpriv"; doing that allows the soar-install to skip the part of the process causing the issue.
  2. Run the soar-install command again. The upgrade process continues from the step specified in the .soar-continue file.
2022-06-07 PSAAS-9107 App Install : Fails due to NFS lock in App directory

Workaround:
Delete app and manually remove any files (especially hidden) from the app directory before attempting an install.
2022-06-01 PSAAS-9054 VPE : Playbooks fail to save: No name 'rules' in module 'phantom'
2022-05-25 PSAAS-9013 glusterfs mount crashes with segmentation fault on SOAR cluster node, results in "Transport is not connected" error

Workaround:
To resolve the error, follow these steps:
  1. On the gluster server, disable the open-behind feature for any affected volumes by running this command: gluster volume set <volname> open-behind off
  2. On the cluster nodes where the glusterfs client crashed, unmount and remount the affected share by running these commands in sequence (you must run these commands as a root user if you are on a privileged cluster):
    1. umount <path_to_share>
    2. mount -a
2022-05-19 PSAAS-8954 Running 'Update All' on Apps appears to cause ownership / permissions problems

Workaround:
To fix the permissions issue, run this command: chown -R nginx:phantom /opt/phantom/apps
2022-05-17 PSAAS-8933 JIT does not work when Automation Broker is configured which should be disabled
2022-05-03 PSAAS-8792 phenv db_maintenance cannot run data retention for containers due to an AttributeError

Workaround:
There is no known workaround for this issue at this time.
2022-04-29 PSAAS-8778 Python 3 playbook converter fails for some misformatted legacy custom functions

Workaround:
none
2022-04-20 PSAAS-8689 Postgres is listed on the system health page with status "unknown" when a remote DB is configured

Workaround:
There is no known workaround for this issue at this time.
2022-04-20 PSAAS-8686 Adding attachments to a note raise error "Upload has failed "

Workaround:
Add the file first from the FILES tab

Then create or edit the note attaching one of the already uploaded files.

2022-04-14 PSAAS-8617 Ingestion failures

Workaround:
If ingestion stops in your instance, restart the ingestd service. Go to *Administration* > *System Health* > *System Health*. Find the instestd service in the list and then select the *Restart* button.
2022-04-12 PSAAS-8569 5.2.1 -> 5.3.x upgrades fail if custom pip packages have been installed and the system cannot directly reach pypi.org without a proxy

Workaround:
Perform one of these two operations (up to customer discretion):
  1. Look into the <PHANTOM_HOME>/usr/local/customer_requirements.txt file and acquire all the packages therein; it's likely they were installed for a reason by the customer, so this is probably the most correct action. The commands for acquiring the package may vary depending on the customer's environment; however, it should generally be a pip install: phenv python3 -m pip install -r customer_requirements.txt
  1. OR, you can delete the entire <PHANTOM_HOME>/usr/local/customer_requirements.txt file (or any package listed in it) so the system does not attempt to install anything. This action may result in customer playbooks, custom functions, or even locally-written apps to fail since they might expect pip packages to exist that are no longer installed

You can continue the upgrade by re-running the soar-install command after performing either remediation above.

2022-04-08 PSAAS-8541 Unreadable characters sporadically appear in UI

Workaround:
Refresh the browser to reload the page.
2022-04-06 PSAAS-8595 indicator_artifact endpoint with indicator_value parameter shows unexpected results for modified indicators

Workaround:
No workaround found
2022-04-05 PSAAS-8499 Upgrade from 5.2.1 to 5.3.x fails with error "Failed to bootstrap playbook repos"

Workaround:
To resolve the issue, follow these steps:
  1. Run soar-install to upgrade to 5.3.1, and allow it to fail on the git repos step.
  2. Manually recover the GitRepos step by running this command:

    3. phenv python -c "import django, os; os.environ\['DJANGO_SETTINGS_MODULE'] = 'phantom_ui.settings'; django.setup(); from phantom_ui.ui.models import SCM; from phantom_ui.phplaybooks.git_helper import pull; s = SCM.objects.get(name='community', disabled=False); s.branch = '5.3'; s.save(); pull(s, None, True); print('Updated community repo')"

  3. The failure should create a .soar-continue file in the same directory as soar-install. Edit that file so the "continue_from" field is "UpdatePyOnPrem" instead of "GitRepos" or "GitReposPriv"
  4. Run soar-install again to complete the upgrade.

2022-03-24 PSAAS-8274 Multiple LDAP providers cannot be configured due to incorrect exception handling
2022-03-22 PSAAS-8185 FIPS - Failed to import new repo with SSH
2022-03-14 PSAAS-8005 Warm Standby SSH App rsync job fails on priv

Workaround:
If you are on a privileged install and use the SSH App, then you may have installed an SSH key in /home/phantom-worker/.ssh. An admin should copy that directory to the standby system.

If the original primary instance is inaccessible, then you can instead follow the SSH App documentation to generate and install a new SSH key.

2022-02-11 PSAAS-7604, PSAAS-9147 Deleting Source Control repo doesn't remove the playbooks

Workaround:
If you have command line access:
  1. Verify that the repo is marked as disabled=t in the scm table. 
    (SELECT * FROM scm);
  2. Verify that associated playbooks are marked as disabled=t and disabled=f in the playbook table 
    (SELECT * FROM playbook WHERE id=<scm_id>);
  3. Mark all associated playbooks as disabled=t 
    (UPDATE playbook SET disabled=t WHERE scm_id=<scm_id>);

Last modified on 13 March, 2025
Welcome to 5.3.1   Fixed issues for

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.3.1

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters