Known issues for

Release 6.1.0

Date filed	Issue number	Description
2024-03-22	PSAAS-16934	Evidence tab screen goes blank if artifact is marked as evidence Workaround: use a different CEF field name that's not "tags"
2024-03-06	PSAAS-16634	ibackup script creating big WAL directories and backup log is misleading.
2024-02-22	PSAAS-16477	Podman does not currently work with redirected image URLs due to Docker Hub authentication token changes Workaround: Manually change the `image:` line in docker-compose.yaml to point to `docker.io/phantomsaas/automation_broker:<$SOAR_VERSION>.`
2024-02-15	PSAAS-16431, PSAAS-16963, PSAAS-16962	Automation Broker: Actions intermittently hang for Automation Broker when there are connection issues Workaround: # Check if the action completed successfully Cancel the hanging action If the action did not complete successfully, re-run the action.
2024-01-30	PSAAS-16206	Global Environment Variables are incorrectly applied by the Automation Broker when the variable is named in all lowercase letters. Workaround: Use uppercase letters only.
2023-12-11	PSAAS-15750	VPE: Downstream block invoked twice from two upstream code blocks join Workaround: Detach one of the upstream blocks and run the blocks in sequence to avoid a join.
2023-12-05	PSAAS-15684	collect2 function with tags filter is not looking beyond first 2000 artifacts in a container
2023-11-29	PSAAS-15638	Paginating REST APIs without sorting may give duplicate results across pages. Also affects phantom.get_tasks() and phantom.get_notes() playbook APIs, when containers have >10 tasks or >10 notes, respectively Workaround: If using the REST API directly, add a `sort` parameter to the URL: https://example-soar.com/rest/resource?page=X&sort=id If using the `phantom.get_tasks()` or `phantom.get_notes()` playbook APIs, you can use `phantom.requests` instead to query the REST API directly: # Instead of phantom.get_tasks(), use url = phantom.build_phantom_rest_url('workbook_task') # Or, instead of phantom.get_notes(), use url = phantom.build_phantom_rest_url('note') params = {'_filter_container': container['id'], 'page_size': 0, 'sort': 'id'} response = phantom.requests.get(url, params=params) tasks = response.json()['data']
2023-10-31	PSAAS-15253	The modal to update active/inactive playbook is not working Workaround: The playbook can be set to active/inactive from the settings configuration page
2023-10-18	PSAAS-15086	cluster upgrade failing on DatabaseSchema with 'Failed to apply database migrations' Workaround: Contact Splunk Support.
2023-10-06	PSAAS-14969	Update from source control of external repo to pull a new Custom Function also creates a new playbook Workaround: To avoid this issue: When using Update From Source Control, always select Force Update. If you have already encountered this issue: You have playbooks you didn't create, with names very similar to the custom function name, like custom_functions/<my_custom_function>. Do not delete these extra playbooks, because that will also delete the custom function. Delete the Source Control repository and recreate it to remove the extra playbooks.
2023-10-04	PSAAS-14948	"validate parameters" button in action modal says "save" instead
2023-09-20	PSAAS-14850	Cluster upgrades hang for 15 minutes while the UpdateRabbitMQServerCert task unnecessarily attempts to connect to the database, then continues successfully Workaround: Do one of these: Wait the extra 15 minutes Open a new terminal to the same instance on which the stalled upgrade is running then run the command `phsvc start pgbouncer` to start pgBouncer.
2023-09-20	PSAAS-14855	The migration tool for privileged to unprivileged SOAR does not retain known_hosts file. Workaround: If any git repos are failing to sync after an privileged to unprivileged migration, follow the steps in Set up a playbook repository using SSH from Configure a source control repository for your Splunk SOAR (On-premises) playbooks in Administer Splunk SOAR (On-premises). These steps will add the git server to the known_hosts file of the phantom user in SOAR.
2023-09-14	PSAAS-14784	SOAR gives a "502 bad gateway" error for all SAML logins if a metadata endpoint fails to respond.
2023-09-13	PSAAS-14783	UI becoming unresponsive when adding or interacting with notes that has alphanumeric strings in Summary view Workaround: Issue seems to be part of the special characters {{<>}} with text in between. The workaround is try to avoid those characters in the note.
2023-09-08	PSAAS-14740	In App editor, Console output is not visible properly in Dark Theme
2023-08-29	PSAAS-14627	VPE: Code from one utility block might be copied into another utility block in the same playbook Workaround: In the Python Playbook Editor of the VPE, manually edit the affected blocks to remove duplicate codes. To keep track of changes you make, clone the playbook before each edit.
2023-08-24	PSAAS-14607	Boolean parameter in playbook considered as string
2023-08-22	PSAAS-14534	SOAR Installer can appear to hang if the database is not running.
2023-08-21	PSAAS-14497, PSAAS-14560	VPE: Reversion fails for playbooks with periods in their names Workaround: Do not use periods in playbook names. If you have a period in the playbook name, reversion will fail.
2023-08-14	PSAAS-14440	Cannot delete all custom fields from UI Workaround: When deleting custom fields, leave at least one custom field in the list.
2023-08-11	PSAAS-14413	Special characters are removed while downloading the file from Vault
2023-08-02	PSAAS-14223	"Run automatically when" appears on input playbooks; designed only for automation playbooks Workaround: This feature is designed to work on automation playbooks, not input playbooks. Any updates you make in this section will not affect your input playbooks.
2023-07-26	PSAAS-14172, PSAAS-14173	The delete_containers.pyc script omitted from SOAR 6.1.0 builds. Workaround: The `delete_containers.pyc` script was omitted from SOAR 6.1.0 builds. Users who need to remove containers from their SOAR deployments can use the data retention and management tools described in the topic Use data retention strategies to schedule and manage your database cleanup in Administer . https://docs.splunk.com/Documentation/SOARonprem/latest/Admin/DataRetention
2023-07-24	PSAAS-14158	In a SOAR cluster, playbook blocks using the playbook API that are downstream from a block using the HTTP connector may fail with status 401. Workaround: Due to a change in how SOAR user sessions are handled, if the HTTP connector authenticates using different credentials than the playbooks' automation user, the playbook runs' session token is logged out, resulting in further API requests getting a status of 401. This affects active playbooks triggered by ingestion. There are four possible workarounds. Update the HTTP connector's asset's authentication fields to use the same automation user that is running the active playbook. Update the HTTP connector's asset's "Base Url" to point one of the nodes in the cluster instead of the load balancer. Put the actions run with the HTTP connector in a child playbook. Use the `phantom.requests` playbook API without specifying any authentication mechanism instead of using the HTTP connector.
2023-07-19	PSAAS-14125	Users without the "Administrator" role cannot delete an Automation Broker, even when given appropriate permissions. Workaround: Use an account with the Administrator role to delete any Splunk SOAR Automation Brokers as needed.
2023-07-18	PSAAS-14102	The original State file is replicated with app dir's state file Workaround: Remove the state file from the app dir.
2023-07-18	PSAAS-14116	App Editor Console Output has black fonts in dark theme Workaround: Use the light theme. Click your account name on the top right, then select Account Settings. Select the Light Theme, then select Save Changes.
2023-07-14	PSAAS-14056	Community repo playbooks updated from source control give error "Ref '6.1' did not resolve to an object" Workaround: Select the Force Update checkbox, then select Update.
2023-07-11	PSAAS-14004, PAPP-31256	Zoom, MS Graph, EWS for Office apps not installed/upgraded on SOAR 6.1.0 Workaround: If you are using one of the following apps, manually reinstall or upgrade it from Splunkbase. Zoom app, version 2.1.0 MS Graph for Office365, version 2.8.0 EWS for Office 365, version 2.15.0
2023-06-23	PSAAS-13889	Images within app documentation are not being rendered
2023-06-22	PSAAS-13858	spawn.log could stop working if telemetry is off for new install or upgrade from 5.5.0 Workaround: Turn on the telemetry feature in the Home menu then Administration, then Product Settings in the web-based UI. Restart phantom_watchdogd from the web-based UI or using the command line. <$PHANTOM_HOME>/bin/phsvc restart phantom_watchdogd If you are able to use the command line, make sure <$PHANTOM_HOME>/var/log/phantom/spawn_telemetry_pipe was created Once spawn.log is running it is safe to turn off the telemetry feature. The spawn_telemetry_pipe stays even if telemetry is off, which lets the spawn logger process run.
2023-06-07	PSAAS-13666	VPE: Blocks custom named 'container' and 'container_0' produce the same python function name Workaround: Avoid using custom block names that end in "container" and "container_0".
2023-06-06	PSAAS-13638	Exceptions thrown in soar_diag_backport
2023-06-05	PSAAS-13626	Creating clusters with more than 3 nodes with make_cluster_node.pyc results in clusters with 4 consul servers instead of 3 Workaround: This issue only applies to Splunk SOAR (On-Premises) clusters with more than 3 nodes. Identify which 4 nodes in the cluster are consul "servers" by running `phenv consul members` Pick one of those 4 nodes and downgrade it to a "client" by running `grep -v '"server"' <$PHANTOM_HOME>/etc/consul/config.json > <$PHANTOM_HOME>/etc/consul/config.json` Restart consul on that node by running `phenv phantom_supervisord ctl restart consul`
2023-06-05	PSAAS-13766	Microsoft AD LDAP app fails with "No module named 'adldap_consts'" error message Workaround: # Clear the local cache on the Automation Broker for the given app. This example shows steps to clear the local cache on Automation Broker for a sample maxmind app: {noformat}splunk_user@518d6331a46d:/splunk_data/apps$ cd maxmind_c566e153-3118-4033-abda-14dd9748c91a/ splunk_user@518d6331a46d:/splunk_data/apps/maxmind_c566e153-3118-4033-abda-14dd9748c91a$ ls -l total 4 drwxr-xr-x 6 splunk_user splunk_user 4096 Jun 7 15:43 2.2.5 splunk_user@518d6331a46d:/splunk_data/apps/maxmind_c566e153-3118-4033-abda-14dd9748c91a$ rm -rf 2.2.5{noformat} After you clear the cache, run a test conn or any action to re-download the app to the Automation Broker from SOAR.
2023-05-31	PSAAS-13589	Installation error (FileNotFoundError: (Errno 2) No such file or directory: 'openssl') Workaround: Install the openssl package. sudo yum update sudo yum install openssl
2023-05-22	PSAAS-13496	App Editor: Setting default app action booleans to 'false' does not work.
2023-03-07	PSAAS-12591	VPE: Artifact labels in datapaths are not universally supported Workaround: Use a format block to convert datapath results to strings then use the format block's output as the input to downstream action blocks.
2022-11-28	PSAAS-11237	Details for playbook runs don't update in window from the Investigation page Workaround: Click the "x" and then click on the desired playbook run in the queue
2022-04-08	PSAAS-8541	Unreadable characters sporadically appear in UI Workaround: Refresh the browser to reload the page.

Related answers from Splunk Community

Known issues for

Release 6.1.0

Comments

Known issues for Splunk SOAR (On-premises)

Was this topic useful?