Splunk® SOAR (On-premises)

Release Notes

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

Known issues for

Release 6.1.0

Date filed Issue number Description
2024-07-10 PSAAS-18441 Linux system stats are not forwarded to Splunk indexes if sysstat package is not installed.

Workaround:
Install and start the sysstat service by running the following command:
sudo /opt/phantom/soar-prepare-system --sysstat-service

You can verify the sysstat service is running with the command:

systemctl status sysstat

2024-06-11 PSAAS-18009 installation of sysstat package may be necessary
2024-03-22 PSAAS-16934 Evidence tab screen goes blank if artifact is marked as evidence

Workaround:
use a different CEF field name that's not "tags"
2024-03-06 PSAAS-16634 ibackup script creating big WAL directories and backup log is misleading.
2024-02-22 PSAAS-16477 Podman does not currently work with redirected image URLs due to Docker Hub authentication token changes

Workaround:
Manually change the image: line in docker-compose.yaml to point to docker.io/phantomsaas/automation_broker:<$SOAR_VERSION>.
2024-02-15 PSAAS-16431, PSAAS-16962, PSAAS-16963 Automation Broker: Actions intermittently hang for Automation Broker when there are connection issues

Workaround:
  1. Check if the action completed successfully.
  2. Cancel the hanging action.
  3. If the action did not complete successfully, re-run the action.

This problem is usually intermittent. Once connection issues have been resolved, retrying the action should succeed.

2024-01-30 PSAAS-16206 Global Environment Variables are incorrectly applied by the Automation Broker when the variable is named in all lowercase letters.

Workaround:
Use uppercase letters only.
2023-12-11 PSAAS-15750 VPE: Downstream block invoked twice from two upstream code blocks join

Workaround:
Detach one of the upstream blocks and run the blocks in sequence to avoid a join.
2023-12-05 PSAAS-15684 Playbook API phantom.collect2() with tags filter is not returning beyond the first 2000 artifacts in a container
2023-11-29 PSAAS-15638 Paginating REST APIs without sorting may give duplicate results across pages. Also affects phantom.get_tasks() and phantom.get_notes() playbook APIs, when containers have >10 tasks or >10 notes, respectively

Workaround:
If using the REST API directly, add a sort parameter to the URL: 
https://example-soar.com/rest/resource?page=X&sort=id

If using the phantom.get_tasks() or phantom.get_notes() playbook APIs, you can use phantom.requests instead to query the REST API directly: 


# Instead of phantom.get_tasks(), use
url = phantom.build_phantom_rest_url('workbook_task')



# Or, instead of phantom.get_notes(), use
url = phantom.build_phantom_rest_url('note')

params = {'_filter_container': container['id'], 'page_size': 0, 'sort': 'id'}
response = phantom.requests.get(url, params=params)
tasks = response.json()['data']

2023-11-21 PSAAS-15528, PSAAS-13668 Home Page: Open event widget has overlapping characters for SLA and Severity
2023-10-31 PSAAS-15253 The modal to update active/inactive playbook is not working

Workaround:
The playbook can be set to active/inactive from the settings configuration page
2023-10-18 PSAAS-15086 Cluster upgrade failing on DatabaseSchema with 'Failed to apply database migrations'

Workaround:
Contact Splunk Support.
2023-10-06 PSAAS-14969 Update from source control of external repo to pull a new Custom Function also creates a new playbook

Workaround:
To avoid this issue:

When using Update From Source Control, always select Force Update.

If you have already encountered this issue:

You have playbooks you didn't create, with names very similar to the custom function name, like custom_functions/<my_custom_function>.

Do not delete these extra playbooks, because that will also delete the custom function. Delete the Source Control repository and recreate it to remove the extra playbooks.

2023-10-04 PSAAS-14948 "validate parameters" button in action modal says "save" instead
2023-09-20 PSAAS-14850 Cluster upgrades hang for 15 minutes while the UpdateRabbitMQServerCert task unnecessarily attempts to connect to the database, then continues successfully

Workaround:
Do one of these:
  • Wait the extra 15 minutes
  • Open a new terminal to the same instance on which the stalled upgrade is running then run the command phsvc start pgbouncer to start pgBouncer.
2023-09-20 PSAAS-14855 The migration tool for privileged to unprivileged SOAR does not retain known_hosts file.

Workaround:
If any git repos are failing to sync after an privileged to unprivileged migration, follow the steps in Set up a playbook repository using SSH from

Configure a source control repository for your Splunk SOAR (On-premises) playbooks in Administer Splunk SOAR (On-premises).

These steps will add the git server to the known_hosts file of the phantom user in SOAR.

2023-09-14 PSAAS-14784 SOAR gives a "502 bad gateway" error for all SAML logins if a metadata endpoint fails to respond.
2023-09-13 PSAAS-14783 UI becoming unresponsive when adding or interacting with notes that has alphanumeric strings in Summary view

Workaround:
Issue seems to be part of the special characters {{<>}} with text in between. The workaround is try to avoid those characters in the note.
2023-09-08 PSAAS-14740, PSAAS-13089 In App editor, Console output is not visible properly in Dark Theme
2023-08-29 PSAAS-14627 VPE: Code from one utility block might be copied into another utility block in the same playbook

Workaround:
In the Python Playbook Editor of the VPE, manually edit the affected blocks to remove duplicate codes.


To keep track of changes you make, clone the playbook before each edit.

2023-08-24 PSAAS-14607 Boolean parameter in playbook considered as string
2023-08-24 PSAAS-14550 User unable to bulk edit/close the events due to missing unrelated required tag

Workaround:
I suggest customer temporarily create a new tag and assign to the label "audit". Then they should be able to bulk close all events with label "audit" by choosing the new tag as required tag.
2023-08-22 PSAAS-14534 SOAR Installer can appear to hang if the database is not running.
2023-08-21 PSAAS-14497, PSAAS-14560 VPE: Reversion fails for playbooks with periods in their names

Workaround:
Do not use periods in playbook names. If you have a period in the playbook name, reversion will fail.
2023-08-14 PSAAS-14440 Cannot delete all custom fields from UI

Workaround:
When deleting custom fields, leave at least one custom field in the list.
2023-08-11 PSAAS-14413 Special characters are removed while downloading the file from Vault
2023-08-02 PSAAS-14223 "Run automatically when" appears on input playbooks; designed only for automation playbooks

Workaround:
This feature is designed to work on automation playbooks, not input playbooks.

Any updates you make in this section will not affect your input playbooks.

2023-07-26 PSAAS-14172, PSAAS-14173 The delete_containers.pyc script omitted from SOAR 6.1.0 builds.

Workaround:
The delete_containers.pyc script was omitted from SOAR 6.1.0 builds.

Users who need to remove containers from their SOAR deployments can use the data retention and management tools described in the topic Use data retention strategies to schedule and manage your database cleanup in Administer .

2023-07-24 PSAAS-14158 In a SOAR cluster, playbook blocks using the playbook API that are downstream from a block using the HTTP connector may fail with status 401.

Workaround:
Due to a change in how SOAR user sessions are handled, if the HTTP connector authenticates using different credentials than the playbooks' automation user, the playbook runs' session token is logged out, resulting in further API requests getting a status of 401. This affects active playbooks triggered by ingestion.

There are four possible workarounds.

  1. Update the HTTP connector's asset's authentication fields to use the same automation user that is running the active playbook.
  2. Update the HTTP connector's asset's "Base Url" to point one of the nodes in the cluster instead of the load balancer.
  3. Put the actions run with the HTTP connector in a child playbook.
  4. Use the phantom.requests playbook API without specifying any authentication mechanism instead of using the HTTP connector.

2023-07-19 PSAAS-14125 Users without the "Administrator" role cannot delete an Automation Broker, even when given appropriate permissions.

Workaround:
Use an account with the Administrator role to delete any Splunk SOAR Automation Brokers as needed.
2023-07-18 PSAAS-14102 The original State file is replicated with app dir's state file

Workaround:
Remove the state file from the app dir.
2023-07-18 PSAAS-14116 App Editor Console Output has black fonts in dark theme

Workaround:
Use the light theme.
  1. Click your account name on the top right, then select Account Settings.
  2. Select the Light Theme, then select Save Changes.

2023-07-14 PSAAS-14056 Community repo playbooks updated from source control give error "Ref '6.1' did not resolve to an object"

Workaround:
Select the Force Update checkbox, then select Update.
2023-07-11 PSAAS-14004, PAPP-31256 Zoom, MS Graph, EWS for Office apps not installed/upgraded on SOAR 6.1.0

Workaround:
If you are using one of the following apps, manually reinstall or upgrade it from Splunkbase.
  • Zoom app, version 2.1.0
  • MS Graph for Office365, version 2.8.0
  • EWS for Office 365, version 2.15.0
2023-06-23 PSAAS-13889 Images within app documentation are not being rendered
2023-06-22 PSAAS-13858 spawn.log could stop working if telemetry is off for new install or upgrade from 5.5.0

Workaround:
  1. Turn on the telemetry feature in the Home menu then Administration, then Product Settings in the web-based UI.
  2. Restart phantom_watchdogd from the web-based UI or using the command line. 
     <$PHANTOM_HOME>/bin/phsvc restart phantom_watchdogd
  3. If you are able to use the command line, make sure <$PHANTOM_HOME>/var/log/phantom/spawn_telemetry_pipe was created
  4. Once spawn.log is running it is safe to turn off the telemetry feature. The spawn_telemetry_pipe stays even if telemetry is off, which lets the spawn logger process run.

2023-06-07 PSAAS-13666 VPE: Blocks custom named 'container' and 'container_0' produce the same python function name

Workaround:
Avoid using custom block names that end in "container" and "container_0".
2023-06-06 PSAAS-13638 Exceptions thrown in soar_diag_backport
2023-06-05 PSAAS-13626 Creating clusters with more than 3 nodes with make_cluster_node.pyc results in clusters with 4 consul servers instead of 3

Workaround:
This issue only applies to Splunk SOAR (On-Premises) clusters with more than 3 nodes.
  1. Identify which 4 nodes in the cluster are consul "servers" by running phenv consul members
  2. Pick one of those 4 nodes and downgrade it to a "client" by running grep -v '"server"' <$PHANTOM_HOME>/etc/consul/config.json > <$PHANTOM_HOME>/etc/consul/config.json
  3. Restart consul on that node by running phenv phantom_supervisord ctl restart consul

2023-06-05 PSAAS-13766 Microsoft AD LDAP app fails with "No module named 'adldap_consts'" error message

Workaround:
  1. Clear the local cache on the Automation Broker for the given app. This example shows steps to clear the local cache on Automation Broker for a sample maxmind app:
    splunk_user@518d6331a46d:/splunk_data/apps$ cd maxmind_c566e153-3118-4033-abda-14dd9748c91a/

    splunk_user@518d6331a46d:/splunk_data/apps/maxmind_c566e153-3118-4033-abda-14dd9748c91a$ ls -l total 4 drwxr-xr-x 6 splunk_user splunk_user 4096 Jun 7 15:43 2.2.5 splunk_user@518d6331a46d:/splunk_data/apps/maxmind_c566e153-3118-4033-abda-14dd9748c91a$ rm -rf 2.2.5

  2. After you clear the cache, run a test connection or any action to re-download the app to the Automation Broker from SOAR.

2023-05-31 PSAAS-13589 Installation error (FileNotFoundError: (Errno 2) No such file or directory: 'openssl')

Workaround:
Install the openssl package. 
sudo yum update
sudo yum install openssl

2023-05-22 PSAAS-13496 App Editor: Setting default app action booleans to 'false' does not work.
2023-04-26 PSAAS-13255 Deleting a container with 1000+ artifacts causes UWSGI to run out of memory.
2023-03-07 PSAAS-12591 VPE: Artifact labels in datapaths are not universally supported

Workaround:
Use a format block to convert datapath results to strings then use the format block's output as the input to downstream action blocks.
2023-02-02 PSAAS-12158 User filtering is using first/last name to filter events instead of just username

Workaround:
None
2022-11-28 PSAAS-11237 Details for playbook runs don't update in window from the Investigation page

Workaround:
Click the "x" and then click on the desired playbook run in the queue
2022-04-08 PSAAS-8541 Unreadable characters sporadically appear in UI

Workaround:
Refresh the browser to reload the page.
Last modified on 10 July, 2024
Welcome to Splunk SOAR (On-premises) 6.1.0   Fixed issues for

This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.1.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters