Splunk® SOAR (On-premises)

Release Notes

As of version 6.4.0, the visual editor for classic playbooks is no longer part of Splunk SOAR. Before upgrading, convert your classic playbooks to modern mode. Your classic playbooks will continue to run and you can view and edit them in the SOAR Python code editor.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

Known issues for

Release 5.3.2

Date filed Issue number Description
2023-11-29 PSAAS-15638 Paginating REST APIs without sorting may give duplicate results across pages. Also affects phantom.get_tasks() and phantom.get_notes() playbook APIs, when containers have >10 tasks or >10 notes, respectively

Workaround:
If using the REST API directly, add a sort parameter to the URL: 
https://example-soar.com/rest/resource?page=X&sort=id

If using the phantom.get_tasks() or phantom.get_notes() playbook APIs, you can use phantom.requests instead to query the REST API directly: 


# Instead of phantom.get_tasks(), use
url = phantom.build_phantom_rest_url('workbook_task')



# Or, instead of phantom.get_notes(), use
url = phantom.build_phantom_rest_url('note')

params = {'_filter_container': container['id'], 'page_size': 0, 'sort': 'id'}
response = phantom.requests.get(url, params=params)
tasks = response.json()['data']

2023-11-01 PSAAS-15256 Inactivity timeout logs the user out while working in the VPE
2023-07-19 PSAAS-14125 Users without the "Administrator" role cannot delete an Automation Broker, even when given appropriate permissions.

Workaround:
Use an account with the Administrator role to delete any Splunk SOAR Automation Brokers as needed.
2023-06-26 PSAAS-13898 Splunk SOAR's cron jobs generate output, which fills up mail boxes over time

Workaround:
Empty the Splunk SOAR user's mailbox. For example, if the Splunk SOAR user is phantom, you can empty the mailbox by running
rm /var/mail/phantom

For each of the cron jobs installed during soar installation, edit the soar user's crontab (with "crontab -e") and append the following to the end of each command line: {{> /dev/null 2>&1}}

2023-05-24 PSAAS-13530 "Phantom startup failed: phantom_actiond" and "Waiting for Mnesia tables" when starting cluster nodes
2023-04-15 PSAAS-13091 SOAR upgrade from 5.2.1 to 5.3.x will fail if a python3 app has been uninstalled
2022-11-29 PSAAS-11272 Upgrade: nginx failed to start due to dhparams file being deleted during upgrade

Workaround:
  1. Run phenv python ./bin/initialize.py --set-dhparams
  2. Continue the installation with ./soar-install --continue-from=StartPhantom

2022-11-09 PSAAS-11068 Port forward from NRI port to 443 doesn't work on local machine.
2022-11-08 PSAAS-11121 AppUpdate should continue to work with custom apps that have invalid versions

Workaround:
Uninstall the custom apps that are causing the blockage.
  1. To identify those custom apps, run the following script 
    
phenv phantom_shell
apps = App.objects.filter(disabled=False)
for app in apps:
  if not app.known_versions:
    print(app)

print('done looking up custom apps')
  2. Use the AppUpdate wizard to update known app. See Splunk SOAR Connector for a list of apps that you can upgrade with the wizard.
  3. Reinstall those custom apps

Repeat these steps each time you want to upgrade certified apps.

2022-10-27 PSAAS-10965 AB Auto Update does not work on upgraded stacks to 5.4.0

Workaround:
Run the following commands: 
<PHANTOM_HOME>/bin/phenv python <PHANTOM_HOME>/www/manage.py change_ab_version --no-ab-version
<PHANTOM_HOME>/bin/phsvc reload uwsgi

2022-09-26 PSAAS-10411 ibackup stores the entire PostgreSQL database in every incremental backup.
2022-09-26 PSAAS-10454 UI error when navigating to case evidence tab caused by linked container that was removed by retention.

Workaround:
None.
2022-09-21 PSAAS-10335 UI Proxy Settings : lower case proxy name doesn't error

Workaround:
Use upper-case https_proxy
2022-09-07 PSAAS-10107 Status of Case is missing from Report

Workaround:
None known
2022-08-19 PSAAS-9910 Bulk Edit of Playbooks allow setting playbooks that are in draft mode to active
2022-08-10 PSAAS-9781 On privileged systems the phantom daemons may be started as the root user after a system reboot.

Workaround:
A crontab entry was incorrectly added by Splunk SOAR (On-premises) to the root user's account. Fix this issue by following these steps:
  1. Use SSH to log into the affected Splunk SOAR (On-premises) instance and become the root user:
    sudo su -
  2. As the root user, edit the crontab with crontab -e
  3. In the editor, delete the line that looks like this:
    @reboot /opt/phantom/bin/start_phantom.sh
  4. Restart Splunk SOAR (On-premises) instance. When the system restarts the processes run as the correct user:
    /opt/phantom/bin/stop_phantom.sh
    /opt/phantom/bin/start_phantom.sh
  5. Finally, make sure that future reboots will start Splunk SOAR (On-premises) properly with /opt/phantom/bin/phsvc enable phantom_watchdogd

2022-08-02 PSAAS-9687 Logging around the Splunk Forwarder is insufficient (add-es-index-stdout.log)

Workaround:
n/a
2022-08-01 PSAAS-9665, PSAAS-11327 VPE: SOAR UI hangs in VPE debug and UI will go blank and need refresh
2022-07-29 PSAAS-9663 SOAR does not reserve enough memory for critical processes when user playbook code leaks enough memory
2022-07-26 PSAAS-9593 VPE 2.0 Revision history should not be enabled when Source Control is marked Read-Only

Workaround:
No current workarounds. Customer is temporarily using training workflow to avoid issue. They would like this to be fixed within the UI.
2022-07-19 PSAAS-9531 Upgrades fail with error "Failed to trust git directory" when there exist playbook repos with spaces in their names

Workaround:
Follow these steps to mitigate this issue during your upgrade:
  1. Edit the file for the version you're upgrading. See the list.
    • For version 5.3.2, edit the file install/install_steps/git_repos.py
    • For version 5.3.3, edit the file install/operations/tasks/git_repos.py.

    Change lines 37 and 46. Wrap {git_repo} in escaped quotes. 

    
37     cmd=f"config --global --unset safe.directory \"{git_repo}\"",

46     cmd=f"config --global --add safe.directory \"{git_repo}\"",

    Other versions may have similar code that needs to be wrapped in escaped quotes.

  2. Verify .soar-continue contains {"continue_from": "GitRepos", "cluster_phase": "NONE"}
  3. Re-run the soar-install command.

2022-07-07 PSAAS-9417, PSAAS-9599 Data/Graphs missing on Executive Report after 5.3.2 upgrade
2022-06-24 PSAAS-9316 Visual Playbook Editor: A 'false' value in artifact CEF is not evaluated correctly in decision and filter blocks

Workaround:
Use the in operator to evaluate whether a condition is 'true' or 'false', as shown in this example:["artifact:*.cef.cn1", "in", "'false'"]
2022-06-24 PSAAS-9319 Webserver log level setting in admin UI is not respected
2022-05-25 PSAAS-9013 glusterfs mount crashes with segmentation fault on SOAR cluster node, results in "Transport is not connected" error

Workaround:
To resolve the error, follow these steps:
  1. On the gluster server, disable the open-behind feature for any affected volumes by running this command: gluster volume set <volname> open-behind off
  2. On the cluster nodes where the glusterfs client crashed, unmount and remount the affected share by running these commands in sequence (you must run these commands as a root user if you are on a privileged cluster):
    1. umount <path_to_share>
    2. mount -a
2022-05-19 PSAAS-8954 Running 'Update All' on Apps appears to cause ownership / permissions problems

Workaround:
To fix the permissions issue, run this command: chown -R nginx:phantom /opt/phantom/apps
2022-05-03 PSAAS-8792 phenv db_maintenance cannot run data retention for containers due to an AttributeError

Workaround:
There is no known workaround for this issue at this time.
2022-04-29 PSAAS-8778 Python 3 playbook converter fails for some misformatted legacy custom functions

Workaround:
none
2022-04-20 PSAAS-8689 Postgres is listed on the system health page with status "unknown" when a remote DB is configured

Workaround:
There is no known workaround for this issue at this time.
2022-04-20 PSAAS-8686 Adding attachments to a note raise error "Upload has failed "

Workaround:
Add the file first from the FILES tab

Then create or edit the note attaching one of the already uploaded files.

2022-04-12 PSAAS-8569 5.2.1 -> 5.3.x upgrades fail if custom pip packages have been installed and the system cannot directly reach pypi.org without a proxy

Workaround:
Perform one of these two operations (up to customer discretion):
  1. Look into the <PHANTOM_HOME>/usr/local/customer_requirements.txt file and acquire all the packages therein; it's likely they were installed for a reason by the customer, so this is probably the most correct action. The commands for acquiring the package may vary depending on the customer's environment; however, it should generally be a pip install: phenv python3 -m pip install -r customer_requirements.txt
  1. OR, you can delete the entire <PHANTOM_HOME>/usr/local/customer_requirements.txt file (or any package listed in it) so the system does not attempt to install anything. This action may result in customer playbooks, custom functions, or even locally-written apps to fail since they might expect pip packages to exist that are no longer installed

You can continue the upgrade by re-running the soar-install command after performing either remediation above.

2022-04-05 PSAAS-8499 Upgrade from 5.2.1 to 5.3.x fails with error "Failed to bootstrap playbook repos"

Workaround:
To resolve the issue, follow these steps:
  1. Run soar-install to upgrade to 5.3.1, and allow it to fail on the git repos step.
  2. Manually recover the GitRepos step by running this command:

    3. phenv python -c "import django, os; os.environ\['DJANGO_SETTINGS_MODULE'] = 'phantom_ui.settings'; django.setup(); from phantom_ui.ui.models import SCM; from phantom_ui.phplaybooks.git_helper import pull; s = SCM.objects.get(name='community', disabled=False); s.branch = '5.3'; s.save(); pull(s, None, True); print('Updated community repo')"

  3. The failure should create a .soar-continue file in the same directory as soar-install. Edit that file so the "continue_from" field is "UpdatePyOnPrem" instead of "GitRepos" or "GitReposPriv"
  4. Run soar-install again to complete the upgrade.

2022-04-05 PSAAS-8474 VPE 2: Code block join settings incorrectly show upstream joins
2022-03-14 PSAAS-8005 Warm Standby SSH App rsync job fails on priv

Workaround:
If you are on a privileged install and use the SSH App, then you may have installed an SSH key in /home/phantom-worker/.ssh. An admin should copy that directory to the standby system.

If the original primary instance is inaccessible, then you can instead follow the SSH App documentation to generate and install a new SSH key.

2022-02-11 PSAAS-7604, PSAAS-9147 Deleting Source Control repo doesn't remove the playbooks

Workaround:
If you have command line access:
  1. Verify that the repo is marked as disabled=t in the scm table. 
    (SELECT * FROM scm);
  2. Verify that associated playbooks are marked as disabled=t and disabled=f in the playbook table 
    (SELECT * FROM playbook WHERE id=<scm_id>);
  3. Mark all associated playbooks as disabled=t 
    (UPDATE playbook SET disabled=t WHERE scm_id=<scm_id>);

Last modified on 05 March, 2025
Welcome to 5.3.2   Fixed issues for

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.3.2

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters