Splunk® SOAR (On-premises)

Release Notes

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

Known issues for

Release 6.1.1

Date filed Issue number Description
2024-09-09 PSAAS-19325 Export of playbooks does not work if using the Optional "Path to Playbooks" is specified in source control
2024-08-08 PSAAS-18987 Splunk SOAR (On-premises) Installer fails due to centos 8 mirror deprecation

Workaround:
  • If you are not building or upgrading a cluster, you can skip the glusterfs install step and continue the installation of Splunk SOAR.
    1. Rerun the install command for Splunk SOAR. Make sure you do not skip any prompts. Do not use the -y or --no-prompt command line arguments.
    2. The installer will prompt you to install glusterfs. You can answer no if you are not building or upgrading a clustered deployment.
  • If you are building or upgrading a cluster:
    1. Modify the install_common.py file
      1. On or around line 208, modify the base URL set for the GLUSTER_RPM_SOURCE_BASE_URL_EL8 variable to use vault instead of mirror. 
                                GLUSTER_RPM_SOURCE_BASE_URL_EL8 = (
                        "[https://vault.centos.org/centos/8-stream/storage/x86_64/gluster-9/Packages/|https://vault.centos.org/centos/8-stream/storage/x86_64/gluster-9/Packages/] "
                        )
      2. Re-run the installer.

2024-07-10 PSAAS-18441 Linux system stats are not forwarded to Splunk indexes if sysstat package is not installed.

Workaround:
Install and start the sysstat service by running the following command:
sudo /opt/phantom/soar-prepare-system --sysstat-service

You can verify the sysstat service is running with the command:

systemctl status sysstat

2024-06-11 PSAAS-18009 installation of sysstat package may be necessary
2024-03-13 PSAAS-16695 VPE: Action block using Splunk app marked unconfigured when optional parameters not specified
2024-02-29 PSAAS-16538 Generated reports: Cannot sort on Generated column
2024-02-22 PSAAS-16477 Podman does not currently work with redirected image URLs due to Docker Hub authentication token changes

Workaround:
Manually change the image: line in docker-compose.yaml to point to docker.io/phantomsaas/automation_broker:<$SOAR_VERSION>.
2024-02-15 PSAAS-16431, PSAAS-16962, PSAAS-16963 Automation Broker: Actions intermittently hang for Automation Broker when there are connection issues

Workaround:
  1. Check if the action completed successfully.
  2. Cancel the hanging action.
  3. If the action did not complete successfully, re-run the action.

This problem is usually intermittent. Once connection issues have been resolved, retrying the action should succeed.

2024-01-30 PSAAS-16206 Global Environment Variables are incorrectly applied by the Automation Broker when the variable is named in all lowercase letters.

Workaround:
Use uppercase letters only.
2024-01-02 PSAAS-15951 spawn.log is not working after upgrading to SOAR version 6.1.1
2023-12-11 PSAAS-15750 VPE: Downstream block invoked twice from two upstream code blocks join

Workaround:
Detach one of the upstream blocks and run the blocks in sequence to avoid a join.
2023-12-06 PSAAS-15694 Indicators page shows empty table for non-admin users
2023-11-29 PSAAS-15640 Cannot delete or move playbooks with name that starts with ":"
2023-11-29 PSAAS-15638 Paginating REST APIs without sorting may give duplicate results across pages. Also affects phantom.get_tasks() and phantom.get_notes() playbook APIs, when containers have >10 tasks or >10 notes, respectively

Workaround:
If using the REST API directly, add a sort parameter to the URL: 
https://example-soar.com/rest/resource?page=X&sort=id

If using the phantom.get_tasks() or phantom.get_notes() playbook APIs, you can use phantom.requests instead to query the REST API directly: 


# Instead of phantom.get_tasks(), use
url = phantom.build_phantom_rest_url('workbook_task')



# Or, instead of phantom.get_notes(), use
url = phantom.build_phantom_rest_url('note')

params = {'_filter_container': container['id'], 'page_size': 0, 'sort': 'id'}
response = phantom.requests.get(url, params=params)
tasks = response.json()['data']

2023-11-21 PSAAS-15528, PSAAS-13668 Home Page: Open event widget has overlapping characters for SLA and Severity
2023-10-18 PSAAS-15086 Cluster upgrade failing on DatabaseSchema with 'Failed to apply database migrations'

Workaround:
Contact Splunk Support.
2023-10-06 PSAAS-14969 Update from source control of external repo to pull a new Custom Function also creates a new playbook

Workaround:
To avoid this issue:

When using Update From Source Control, always select Force Update.

If you have already encountered this issue:

You have playbooks you didn't create, with names very similar to the custom function name, like custom_functions/<my_custom_function>.

Do not delete these extra playbooks, because that will also delete the custom function. Delete the Source Control repository and recreate it to remove the extra playbooks.

2023-10-04 PSAAS-14948 "validate parameters" button in action modal says "save" instead
2023-09-25 PSAAS-14869 Only draft app shows as runnable when searching to run apps "by app"
2023-09-20 PSAAS-14850 Cluster upgrades hang for 15 minutes while the UpdateRabbitMQServerCert task unnecessarily attempts to connect to the database, then continues successfully

Workaround:
Do one of these:
  • Wait the extra 15 minutes
  • Open a new terminal to the same instance on which the stalled upgrade is running then run the command phsvc start pgbouncer to start pgBouncer.
2023-09-20 PSAAS-14855 The migration tool for privileged to unprivileged SOAR does not retain known_hosts file.

Workaround:
If any git repos are failing to sync after an privileged to unprivileged migration, follow the steps in Set up a playbook repository using SSH from

Configure a source control repository for your Splunk SOAR (On-premises) playbooks in Administer Splunk SOAR (On-premises).

These steps will add the git server to the known_hosts file of the phantom user in SOAR.

2023-09-15 PSAAS-14790 The make_cluster_node script fails on new cluster with a PGSQL 15 database.
2023-09-14 PSAAS-14784 SOAR gives a "502 bad gateway" error for all SAML logins if a metadata endpoint fails to respond.
2023-09-08 PSAAS-14740, PSAAS-13089 In App editor, Console output is not visible properly in Dark Theme
2023-09-05 PSAAS-14697, PSAAS-14655, PAPP-32725 Images are not appearing in action's custom view on SOAR (Cloud) and (On-premises) versions 6.1.1 and higher
2023-08-29 PSAAS-14627 VPE: Code from one utility block might be copied into another utility block in the same playbook

Workaround:
In the Python Playbook Editor of the VPE, manually edit the affected blocks to remove duplicate codes.


To keep track of changes you make, clone the playbook before each edit.

2023-08-25 PSAAS-14608 Images are not visible in app documentation
2023-08-21 PSAAS-14504 Freshly installed SOAR cluster doesn't have any phantom_scheduler jobs
2023-07-19 PSAAS-14130, PSAAS-14128 Cluster node creation/upgrade may fail due to RabbitMQ CLI commands failing to connect to RabbitMQ server
2023-07-18 PSAAS-14116 App Editor Console Output has black fonts in dark theme

Workaround:
Use the light theme.
  1. Click your account name on the top right, then select Account Settings.
  2. Select the Light Theme, then select Save Changes.

2023-06-27 PSAAS-13913 VPE: After clicking Discard Changes button, blocks show error "Reconfigure Invalid Data Path"

Workaround:
Need to not save the playbook and refresh the page
2023-05-22 PSAAS-13496 App Editor: Setting default app action booleans to 'false' does not work.
2023-04-26 PSAAS-13255 Deleting a container with 1000+ artifacts causes UWSGI to run out of memory.

Workaround:
For Waterspout we have swapped the deletion mechanism of containers in the UI from a django deletion to a raw deletion.

This helps us avoid OOMing in Django while preserving audit capability when performing a deletion thanks to a new pg trigger that was added.


In SOAR versions pre 6.3.0, customers running into an OOM when deleting a container with 1000+ artifacts should delete the container via a raw delete using the Template:Delete db containers management command. If this is a cloud customer, then SOAR on-call will need to delete the container for them with their permission.

2023-03-07 PSAAS-12591 VPE: Artifact labels in datapaths are not universally supported

Workaround:
Use a format block to convert datapath results to strings then use the format block's output as the input to downstream action blocks.
2023-02-02 PSAAS-12158 User filtering is using first/last name to filter events instead of just username

Workaround:
None
2022-04-08 PSAAS-8541 Unreadable characters sporadically appear in UI

Workaround:
Refresh the browser to reload the page.
Last modified on 08 October, 2024
Welcome to Splunk SOAR (On-premises) 6.1.1   Fixed issues for

This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.1.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters