Splunk® SOAR (On-premises)

Release Notes

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

Known issues for

Release 6.0.1

High priority issue

Date filed Issue number Description
2023-05-23 PSAAS-13519, PSAAS-13538 Auth tokens expire after 30 days; tokens should not expire

The ph-auth-token for any automation user account will expire 30 days after it is generated. In releases prior to 6.0.0, these tokens did not expire. You might see a 401 Invalid Token error when using these tokens to call the Splunk SOAR API or running actions using an app with an asset configurations that uses these tokens.


Affected deployments
New installations of Splunk SOAR version 6.0.1
Your deployment is affected if you have created automation user authentication tokens in installations of Splunk SOAR version 6.0.1.
Upgrades to Splunk SOAR version 6.0.1
If you created any authentication tokens in an earlier Splunk SOAR version before upgrading to version 6.0.1:

  • Your deployment is affected if you update the tokens in version 6.0.1,
  • Your deployment is not affected if you do not update the tokens after upgrading.

Workaround
To rotate the key at any time (before or after it expires), generate a new one by by following these steps:

  1. Within Splunk SOAR, navigate to Administration, then User Management, then Users.
  2. Select the user you want to edit and select Re-Generate Auth Token.
  3. Select Show Token, then copy the token to your clipboard.
  4. Use that token to update any affected Splunk SOAR assets or external scripts that use the SOAR API.

Additional known issues

Date filed Issue number Description
2024-11-20 PSAAS-20761 set non-synchronous child playbook run status to failed if due to label mismatch
2024-10-21 PSAAS-20167 Child Playbook gets stuck running when run against label it does not pertain to
2024-03-14 PSAAS-16703 Playbook hangs when action license is exceeded
2024-03-04 PSAAS-16565 Upgrade failed at step GitRepos -- Failed to bootstrap playbook repos
2024-02-22 PSAAS-16477 Podman does not currently work with redirected image URLs due to Docker Hub authentication token changes

Workaround:
Manually change the image: line in docker-compose.yaml to point to docker.io/phantomsaas/automation_broker:<$SOAR_VERSION>.
2024-02-15 PSAAS-16431, PSAAS-16962, PSAAS-16963 Automation Broker: Actions intermittently hang for Automation Broker when there are connection issues

Workaround:
  1. Check if the action completed successfully.
  2. Cancel the hanging action.
  3. If the action did not complete successfully, re-run the action.

This problem is usually intermittent. Once connection issues have been resolved, retrying the action should succeed.

2023-11-29 PSAAS-15638 Paginating REST APIs without sorting may give duplicate results across pages. Also affects phantom.get_tasks() and phantom.get_notes() playbook APIs, when containers have >10 tasks or >10 notes, respectively

Workaround:
If using the REST API directly, add a sort parameter to the URL:
https://example-soar.com/rest/resource?page=X&sort=id

If using the phantom.get_tasks() or phantom.get_notes() playbook APIs, you can use phantom.requests instead to query the REST API directly:


# Instead of phantom.get_tasks(), use
url = phantom.build_phantom_rest_url('workbook_task')



# Or, instead of phantom.get_notes(), use
url = phantom.build_phantom_rest_url('note')

params = {'_filter_container': container['id'], 'page_size': 0, 'sort': 'id'}
response = phantom.requests.get(url, params=params)
tasks = response.json()['data']


2023-10-22 PSAAS-15123 Assets table in Password Vault, sorting after search does not show all the assets

Workaround:
Refresh page
2023-09-20 PSAAS-14855 The migration tool for privileged to unprivileged SOAR does not retain known_hosts file.

Workaround:
If any git repos are failing to sync after an privileged to unprivileged migration, follow the steps in Set up a playbook repository using SSH from

Configure a source control repository for your Splunk SOAR (On-premises) playbooks in Administer Splunk SOAR (On-premises).

These steps will add the git server to the known_hosts file of the phantom user in SOAR.

2023-09-14 PSAAS-14784 SOAR gives a "502 bad gateway" error for all SAML logins if a metadata endpoint fails to respond.
2023-08-25 PSAAS-14608 Images are not visible in app documentation
2023-07-24 PSAAS-14152 No indicators are displayed when all labels are selected in role permissions
2023-07-24 PSAAS-14158 In a SOAR cluster, playbook blocks using the playbook API that are downstream from a block using the HTTP connector may fail with status 401.

Workaround:
Due to a change in how SOAR user sessions are handled, if the HTTP connector authenticates using different credentials than the playbooks' automation user, the playbook runs' session token is logged out, resulting in further API requests getting a status of 401. This affects active playbooks triggered by ingestion.

There are four possible workarounds.

  1. Update the HTTP connector's asset's authentication fields to use the same automation user that is running the active playbook.
  2. Update the HTTP connector's asset's "Base Url" to point one of the nodes in the cluster instead of the load balancer.
  3. Put the actions run with the HTTP connector in a child playbook.
  4. Use the phantom.requests playbook API without specifying any authentication mechanism instead of using the HTTP connector.

2023-07-19 PSAAS-14125 Users without the "Administrator" role cannot delete an Automation Broker, even when given appropriate permissions.

Workaround:
Use an account with the Administrator role to delete any Splunk SOAR Automation Brokers as needed.
2023-07-18 PSAAS-14102 The original State file is replicated with app dir's state file

Workaround:
Remove the state file from the app dir.
2023-07-18 PSAAS-14107 Command make_server_node.pyc changes DB ownership to postgres on NRI install and then cannot start
2023-06-27 PSAAS-13913 VPE: After clicking Discard Changes button, blocks show error "Reconfigure Invalid Data Path"

Workaround:
Need to not save the playbook and refresh the page
2023-06-26 PSAAS-13898 Splunk SOAR's cron jobs generate output, which fills up mail boxes over time

Workaround:
Empty the Splunk SOAR user's mailbox. For example, if the Splunk SOAR user is phantom, you can empty the mailbox by running
rm /var/mail/phantom

For each of the cron jobs installed during soar installation, edit the soar user's crontab (with "crontab -e") and append the following to the end of each command line: {{> /dev/null 2>&1}}

2023-06-23 PSAAS-13889 Images within app documentation are not being rendered
2023-06-21 PSAAS-13845 VPE stuck in 'Loading Playbook Editor' after minor playbook change.

Workaround:
Right click on VPE and then select inspect then display none.

This disables the 'playbook loading' screen.

Reverted to the last playbook revision: Select settings then revision history.

Now reapply your reversed changes to the playbook.

2023-06-21 PSAAS-13850 WarnOfflineInstallCustomerPipPackages install step fails for offline installs if ".tmp_pip_failure.txt" does not exist

Workaround:
Create an empty file called .tmp_pip_failure.txt in the location where the installer is being run from and retry the install/upgrade.
2023-06-12 PSAAS-13720 Playbooks become unresponsive when using an input playbook with "" in the name

Workaround:
Give the Playbook Action Block in the Automation Playbook a Custom Name that does not contain "[]" chars before having a filter reference the output of the Playbook Action Block.
2023-06-12 PSAAS-13722 Issue with Utility setting for playbook is not being refresh

Workaround:
Need to click on the background page and click back to the set status utility to show the correct setting
2023-06-05 PSAAS-13766 Microsoft AD LDAP app fails with "No module named 'adldap_consts'" error message

Workaround:
  1. Clear the local cache on the Automation Broker for the given app. This example shows steps to clear the local cache on Automation Broker for a sample maxmind app:
    splunk_user@518d6331a46d:/splunk_data/apps$ cd maxmind_c566e153-3118-4033-abda-14dd9748c91a/

    splunk_user@518d6331a46d:/splunk_data/apps/maxmind_c566e153-3118-4033-abda-14dd9748c91a$ ls -l total 4 drwxr-xr-x 6 splunk_user splunk_user 4096 Jun 7 15:43 2.2.5 splunk_user@518d6331a46d:/splunk_data/apps/maxmind_c566e153-3118-4033-abda-14dd9748c91a$ rm -rf 2.2.5

  2. After you clear the cache, run a test connection or any action to re-download the app to the Automation Broker from SOAR.

2023-05-31 PSAAS-13589 Installation error (FileNotFoundError: (Errno 2) No such file or directory: 'openssl')

Workaround:
Install the openssl package.
sudo yum update
sudo yum install openssl

2023-05-30 PSAAS-13579 Password reset email does not prominently display the reset page URL. Need to update URL manually.

Workaround:
To reset your password, follow these steps:
  1. After completing the Forgot your password form, select Go back to signin.
  2. In the address bar of your browser, update the last part of the Splunk SOAR URL.
    Replace /login?next=/ with /reset.
    The Reset your password screen appears.
  3. Open the Password reset request email you received from Splunk. Copy the token to your clipboard.
  4. Paste the token from the previous step into Password Reset Token field on the Reset your password page. Enter and confirm your new password, then select Submit.

2023-05-25 PSAAS-13546 App Viewer attempts to load but crashes on lower permission user

Workaround:
Login as user with an increased level of permissions.
2023-05-23 PSAAS-13512 Settings up shared services with make_server_node.py will fail if using a ssh keyfile instead of a user and a password for authentication.
2023-05-22 PSAAS-13503 When a user without system_settings view permission switches tabs from the SOAR homepage, the SOAR UI and apps become unresponsive.

Workaround:
  1. Contact Splunk Support to obtain an updated system.pyc.
  2. Replace your current copy of that file, located in www/phantom_ui/ui/models/system.pyc, with the new file obtained from Splunk Support.
  3. Run the following command: $PHANTOM_HOME/bin/phsvc reload uwsgi

2023-05-16 PSAAS-13425 Log level changes don't get applied to uwsgi mules without a uwsgi restart

Workaround:
To change the uwsgi log level, restart uwsgi by running the following command:

<PHANTOM_HOME>/bin/phsvc restart uwsgi

2023-05-11 PSAAS-13398 After upgrading from 6.0.0 to 6.0.1/6.0.2, configuring a new asset fails with the error message, "Cannot complete installing <app name>. Return to the Apps page and try installing again."

Workaround:
Run the following commands as the phantom user, then create the new asset:
mkdir -p /tmp/ph-apps
tar xvf <SOAR release file untarred directory>/splunk-soar/soar_component_apps.tar -C /tmp/ph-apps
phenv install_apps /tmp/ph-apps/dependencies/apps/*.tgz

2023-04-28 PSAAS-13290 Toggling delay timer in one block causes all other action blocks to toggle delay timer.

Workaround:
Avoid toggling delay timer for blocks that do not want delays. Instead, reduce the delay to 0 minutes.
2023-04-28 PSAAS-13285 Asset mapper fails to remap all blocks
2023-04-26 PSAAS-13255 Deleting a container with 1000+ artifacts causes UWSGI to run out of memory.

Workaround:
For Waterspout we have swapped the deletion mechanism of containers in the UI from a django deletion to a raw deletion.

This helps us avoid OOMing in Django while preserving audit capability when performing a deletion thanks to a new pg trigger that was added.


In SOAR versions pre 6.3.0, customers running into an OOM when deleting a container with 1000+ artifacts should delete the container via a raw delete using the Template:Delete db containers management command. If this is a cloud customer, then SOAR on-call will need to delete the container for them with their permission.

2023-04-24 PSAAS-13176 Conditional installer tasks can fail to execute when retrying a failed upgrade
2023-04-24 PSAAS-13177 VPE: Playbook input elements in Configure panel is not shown due to repo ID mismatch

Workaround:
Use the Python editor and make the changes (or check the values) directly in the code.

Adding another block in the PB sometimes shows the fields but not always. See attached video.

2023-04-20 PSAAS-13156, PSAAS-12705 VPE: Condition blocks treat "False" and "True" as strings, not Boolean values

Workaround:
N/A
2023-04-20 PSAAS-13154 VPE: When opening playbooks, 'Invalid Resource' appears incorrectly on some blocks

Workaround:
This incorrect warning is caused by an issue with the Smart Block Context, conveying information from early playbook blocks to later blocks.

Reconfigure the affected block to remove the warning.

  1. Select the affected block to open its configuration panel.
  2. If needed, select the back button until the datapath selection panel list is visible.
  3. From the selection panel, select the correct resource again.
  4. Select Done. The warning should no longer appear.

2023-04-14 PSAAS-13089, PSAAS-14740 Unable to see console output in light mode from app editor view
2023-04-13 PSAAS-13069 Py2_deprecation check fails loudly if you run the unpriv installer as root
2023-04-07 PSAAS-12993 Upgrade fails due to communication failure with grpc.prod1-cloudgateway.spl.mobi

Workaround:
use flag --ignore-warnings
2023-04-06 PSAAS-12976 VPE: Manually selecting an asset deletes block configuration

Workaround:
Create a new block and copy the datapaths from the python editor view.
2023-04-05 PSAAS-12968 License is removed from SOAR if too many seats are used

Workaround:
Delete the old admin ID. This will reduce seats used by 1 and allow the license to be installed. It also allows for restarting/running SOAR without the license being removed.
2023-03-22 PSAAS-12782 VPE: phantom.collect2 fails if using a filter block that contains an action name

Workaround:
Rename the filter block to not include the preceding action name or rename the action block to something different than the filter.
2023-03-01 PSAAS-12397 App editor fails to load assets in edit mode for draft apps

Workaround:
Workaround 1: Publish the app so it is not longer a DRAFT, do the tests with the existing assets and then edit again to carry on with development. That generates a new version of the app for every test/publish action made


Workaround 2: create a new asset while testing in DRAFT mode. That works as well but then when the app is published, that asset becomes an orphaned asset that can no longer be used unless reassigned. There is a new orphan asset for every time the app is published

2023-02-28 PSAAS-12376 Duplicate entries for SOAR related variables in the environment can cause Restore environment check to fail in Backup and Restore procedure

Workaround:
Use the --ignore-env-check option when doing a restore after verifying that the environment check fails due to duplicates and not because of some value being actually different (aka source system having PHANTOM_FIPS_MODE=0 and target system having PHANTOM_FIPS_MODE=1)
2023-02-16 PSAAS-12331 VPE: Naming blocks the same for utility block causes the blocks to sync
2023-02-15 PSAAS-12299 Apps Update does not display available new versions of unconfigured bundled apps

Workaround:
Applies to apps included with Splunk SOAR that are unconfigured (listed under the Unconfigured Apps tab). This does not apply to apps you manually installed by clicking Install App.
  1. Configure an asset for that app.
  2. Return to the Apps list.
  3. Click App Updates to see any available updates for that configured app.

2023-02-06 PSAAS-12198 App action links within app documentation do not work

Workaround:
Scroll down the page to view the documents or find by using CTRL-F search function.
2023-02-02 PSAAS-12158 User filtering is using first/last name to filter events instead of just username

Workaround:
None
2022-11-28 PSAAS-11237 Details for playbook runs don't update in window from the Investigation page

Workaround:
Click the "x" and then click on the desired playbook run in the queue
2022-11-18 PSAAS-11190 VPE: Block Names with Container - A block name with "container" cannot share its results in other blocks in the Visual Editor

Workaround:
Do not use the word 'container' in playbook block names.
2022-07-07 PSAAS-9417, PSAAS-9599 Data/Graphs missing on Executive Report after 5.3.2 upgrade
2022-04-08 PSAAS-8541 Unreadable characters sporadically appear in UI

Workaround:
Refresh the browser to reload the page.
Last modified on 20 November, 2024
Welcome to Splunk SOAR (On-premises) 6.0.1   Fixed issues for

This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters