Splunk® SOAR (On-premises)

Release Notes

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

Known issues for

Release 6.2.0

Date filed Issue number Description
2024-08-08 PSAAS-18987 Splunk SOAR (On-premises) Installer fails due to centos 8 mirror deprecation

Workaround:
  • If you are not building or upgrading a cluster, you can skip the glusterfs install step and continue the installation of Splunk SOAR.
    1. Rerun the install command for Splunk SOAR. Make sure you do not skip any prompts. Do not use the -y or --no-prompt command line arguments.
    2. The installer will prompt you to install glusterfs. You can answer no if you are not building or upgrading a clustered deployment.
  • If you are building or upgrading a cluster:
    1. Modify the install_common.py file
      1. On or around line 208, modify the base URL set for the GLUSTER_RPM_SOURCE_BASE_URL_EL8 variable to use vault instead of mirror. 
                                GLUSTER_RPM_SOURCE_BASE_URL_EL8 = (
                        "[https://vault.centos.org/centos/8-stream/storage/x86_64/gluster-9/Packages/|https://vault.centos.org/centos/8-stream/storage/x86_64/gluster-9/Packages/] "
                        )
      2. Re-run the installer.

2024-06-24 PSAAS-18172 VPE crashes with TypeError when opening a playbook
2024-05-09 PSAAS-17655 Memory leak in handling of custom function results
2024-05-03 PSAAS-17586 ClusterUpgradePhase task fails when trying to upgrade a single-node cluster
2024-05-01 PSAAS-17560 Playbook converter cannot convert playbooks with set_owner or add_note

Workaround:
If you will run the playbook without making any changes, no action is required.

If you need to update the playbook, take the following action: After you migrate the playbook, delete the affected utility block, then re-add the block and make any updates.

2024-04-29 PSAAS-17481 Spawn.log does not populate after disabling telemetry and restarting Spunk SOAR
2024-04-17 PSAAS-17302 make_cluster_node.pyc script prompt still references PG 11
2024-04-15 PSAAS-17266 Configuring ibackup on primary incorrectly sets standby node max_wal_senders value

Workaround:
* Work around provided to the customer:
  • Enable warm standby which creates the /opt/phantom/data/db/postgresql.warm_standby.conf file
  • Stop SOAR on both the primary & secondary nodes
  • Change the setting of max_wall_senders = 2 to max_wall_senders = 3 in the /opt/phantom/data/db/postgresql.warm_standby.conf file on both the primary & secondary nodes
  • Restart SOAR on both the primary & secondary nodes
  • Setup ibackup on the primary node
  • Verify warm standby status is "currently streaming" on both the primary & secondary nodes
2024-04-05 PSAAS-17189 Playbook deletion is not logged in the audit trail

Workaround:
On-prem customers can monitor the git log for playbook and other git related deletions.
2024-03-14 PSAAS-16703 Playbook hangs when action license is exceeded
2024-03-13 PSAAS-16695 VPE: Action block using Splunk app marked unconfigured when optional parameters not specified
2024-03-04 PSAAS-16565 Upgrade failed at step GitRepos -- Failed to bootstrap playbook repos
2024-03-04 PSAAS-16560, PSAAS-16564 Git operations on playbook repos fail with "Peer's certificate issuer has been marked as not trusted by the user" when using a custom certificate

Workaround:
There are two options:
  1. Manually configure git to use the certificate that you've previously imported to Splunk SOAR. Log into the system as the user owning the Splunk SOAR installation, using SSH, and execute the following command: 
    
git config --global http.sslCAInfo {PHANTOM_HOME}/etc/cacerts.pem

    If your Splunk SOAR deployment is a cluster, the git config command will need to be executed on each node in the cluster.

  2. Disable SSL verification for the affected git repo(s). This option is less secure

2024-02-29 PSAAS-16538 Generated reports: Cannot sort on Generated column
2024-02-28 PSAAS-16529 When navigating back from investigation page to the analyst queue, stale filters are selected
2024-02-22 PSAAS-16476 Logs download doesn't work for On-Prem Cluster setup
2024-02-20 PSAAS-16452, PSAAS-16372 Classic to Modern Playbook conversion errors

Workaround:
* Layout completely jumbled in Modern playbook (MINOR, But annoying)

this can should be resolved by clicking auto-arrange

2024-02-15 PSAAS-16431, PSAAS-16962, PSAAS-16963 Automation Broker: Actions intermittently hang for Automation Broker when there are connection issues

Workaround:
  1. Check if the action completed successfully.
  2. Cancel the hanging action.
  3. If the action did not complete successfully, re-run the action.

This problem is usually intermittent. Once connection issues have been resolved, retrying the action should succeed.

2024-02-14 PSAAS-16416 Failed to add custom field in UI

Workaround:
Refresh the page to get latest update in the custom fields and try to add field again. In the future, avoid multiple users are modifying the custom fields at the same time.
2024-02-12 PSAAS-16368 Copying playbook from remote repository to local repository fails
2024-02-09 PSAAS-16355 VPE: Renamed blocks do not reflect changed names in End block
2024-02-09 PSAAS-16357 Playbook Converter: Datapaths not present in modern datapath picker for custom function and playbook blocks

Workaround:
Rename the affected block to be the same as the function name.

For example, if the function name is "cf_local_generated_1", change the block name to "cf_local_generated_1".

2024-01-30 PSAAS-16210 VPE: "Reconfigure Invalid Datapath" warnings on blocks after upgrade
2024-01-30 PSAAS-16206 Global Environment Variables are incorrectly applied by the Automation Broker when the variable is named in all lowercase letters.

Workaround:
Use uppercase letters only.
2024-01-25 PSAAS-16157 Upgrade to 6.2.0 failed with error "Failed to move /opt/phantom/data/db to /opt/phantom/data/db.old" when DB is on its own disk partition

Workaround:
After you run the upgrade script, follow these steps:
  1. Run the following: 
    
mkdir /opt/phantom/data/db.old;

mv -f /opt/phantom/data/db/* /opt/phantom/data/db.old

chmod 700 /opt/phantom/data/db.old
  2. Comment out the move command in vi /opt/phantom/splunk-soar/install/operations/conditional_tasks/postgres_upgrade.py
  3. Run the upgrade script again.

2024-01-22 PSAAS-16122 Saving playbooks to a local repo fails with 'Push master failed: (branch is currently checked out)'

Workaround:
Operate in repo configured with external resources
2024-01-19 PSAAS-16089 Missing notification for inactivity timeout
2024-01-16 PSAAS-16049 Playbook converter: Asset name is incorrect in the converted playbook
2024-01-16 PSAAS-16048 Fix asset name for playbook converter
2024-01-03 PSAAS-15959 ForwarderGroup TCP token can be accidentally cleaned up if forwarder group is inactive

Workaround:
If a SOAR Cloud customer has a Splunk Enterprise forwarder group which is not working due to a deleted tcp token they can recreate the group and the tcp token will be recreated
2024-01-02 PSAAS-15957 Investigation page: Activity tab doesn't show playbook name. Shows "..."
2023-12-20 PSAAS-15916 Under some conditions, Splunk SOAR's global search can quickly consume huge amounts of memory in uwsgi processes

Workaround:
If you experience high levels of memory usage while using the main search bar in Splunk SOAR, contact Splunk Support.
2023-12-13 PSAAS-15828 After upgrading to version of SOAR running Postgres 15, 'ibackup --setup' fails

Workaround:
  1. Delete the old pgbackrest folder: rm -r <PHANTOM_HOME>/data/ibackup/repo
  2. Rerun phenv ibackup --setup

2023-12-12 PSAAS-15821 Global search not working for custom fields
2023-12-11 PSAAS-15750 VPE: Downstream block invoked twice from two upstream code blocks join

Workaround:
Detach one of the upstream blocks and run the blocks in sequence to avoid a join.
2023-12-06 PSAAS-15695 JSON viewer for input playbooks - analyst view- has clickable URLs

Workaround:
None
2023-12-06 PSAAS-15694 Indicators page shows empty table for non-admin users
2023-12-05 PSAAS-15685 Naming a forwarder group "splunk" breaks forwarding

Workaround:
Delete the forwarder group named "splunk" and recreate it with some other name.
2023-11-29 PSAAS-15640 Cannot delete or move playbooks with name that starts with ":"
2023-11-29 PSAAS-15638 Paginating REST APIs without sorting may give duplicate results across pages. Also affects phantom.get_tasks() and phantom.get_notes() playbook APIs, when containers have >10 tasks or >10 notes, respectively

Workaround:
If using the REST API directly, add a sort parameter to the URL: 
https://example-soar.com/rest/resource?page=X&sort=id

If using the phantom.get_tasks() or phantom.get_notes() playbook APIs, you can use phantom.requests instead to query the REST API directly: 


# Instead of phantom.get_tasks(), use
url = phantom.build_phantom_rest_url('workbook_task')



# Or, instead of phantom.get_notes(), use
url = phantom.build_phantom_rest_url('note')

params = {'_filter_container': container['id'], 'page_size': 0, 'sort': 'id'}
response = phantom.requests.get(url, params=params)
tasks = response.json()['data']

2023-11-22 PSAAS-15543 Test connectivity for asset might result in "failed to send" and HTTP 500 "internal server" error for POST to /rest/asset/{id}

Workaround:
If your connectivity test runs longer than 30 seconds:
  • Keep the "Test Connectivity" window open and wait for the test to complete.
  • Ignore the 500 "internal server error" and the "Failed to send" notification.

2023-11-21 PSAAS-15528, PSAAS-13668 Home Page: Open event widget has overlapping characters for SLA and Severity
2023-11-09 PSAAS-15392 Playbook Converter: Synchronous playbook fails to run for converted playbooks

Workaround:
The user can go into the converted modern playbook and save the playbook. This should work for most cases.


If the above does not work, the user should see if the function header is editable. Usually this is guarded by a lock, but if not, then modify the function header to have **kwargs as a parameter at the end.

image-20231110-033611.png|width=1633,height=53!


If the function header is not editable, copy the code for the callback block, delete the synchronous playbook block, readd the synchronous playbook block and readd the function body code.

2023-11-07 PSAAS-15338 The Repo Permissions in the user modal does not show permissions

Workaround:
Check for the assigned roles permissions for the repos
2023-10-27 PSAAS-15202 Password Vault: Asset not removed from "Assets with enabled password manager" table if all credential fields removed

Workaround:
No workaround.

If an asset in the "Assets with enabled password manager" table is empty, it is not available for use. It still exists in the table because a credential management field was deleted, preventing deletion of the asset from the table.

2023-10-27 PSAAS-15201 Password Vault: "Assets with enabled password manager" table can lead to Apps page without an asset selected

Workaround:
This issue occurs when you select the Edit button to view an asset from the "Assets with enabled password manager" table, then, after viewing its App configuration page, you use the browser's back button to return to the table. When you select Edit to view another asset from the table, the Apps configuration page for that asset is not pre-filled with the asset name and information.

After you have viewed one asset configuration page, use one of the following workarounds to avoid the issue:

  • Refresh the Password Vault browser page before selecting the Edit button for each asset you want to view.
  • Remember the name of the asset you want to view. Select the Edit button for that asset to open its Apps page. The Asset field will be blank. Select the name of the asset you want to view.
  • Right-click or Control-click the Edit button next to an asset to open it in a new tab.

2023-10-26 PSAAS-15199 If the CyberArk instance is down and an action is run, the response message is not clear
2023-10-25 PSAAS-15176 VPE Playbook Conversion: Opening some of the converted PBs show "Discard Changes" button without changes made

Workaround:
When you open a newly converted playbook, select Save to regenerate and save the new code.

If you select Discard Changes before you have made any changes, the playbook code and JSON files are not changed.

2023-10-20 PSAAS-15120 Adding an empty repository on SOAR fails

Workaround:
Ensure that at least one commit is pushed to the playbook repo before adding it to SOAR
2023-10-20 PSAAS-15119 VPE Playbook conversion: Extra path added when converting classic VPE playbook to modern playbook

Workaround:
If your classic playbook has connections that are very close to each other, the modern playbook might create an extra connection.

Before you convert a playbook, spread out your playbook blocks so your connections are not close or overlapping. Then convert the playbook.

Review and test newly converted playbooks before marking them as active to ensure blocks and connectors appear and work correctly.

2023-10-18 PSAAS-15100 PB Converter: Asset Mapper modal is not shown in the converted playbook
2023-10-18 PSAAS-15086 Cluster upgrade failing on DatabaseSchema with 'Failed to apply database migrations'

Workaround:
Contact Splunk Support.
2023-09-05 PSAAS-14697, PSAAS-14655, PAPP-32725 Images are not appearing in action's custom view on SOAR (Cloud) and (On-premises) versions 6.1.1 and higher
2023-07-19 PSAAS-14125 Users without the "Administrator" role cannot delete an Automation Broker, even when given appropriate permissions.

Workaround:
Use an account with the Administrator role to delete any Splunk SOAR Automation Brokers as needed.
2023-06-27 PSAAS-13913 VPE: After clicking Discard Changes button, blocks show error "Reconfigure Invalid Data Path"

Workaround:
Need to not save the playbook and refresh the page
2023-05-22 PSAAS-13496 App Editor: Setting default app action booleans to 'false' does not work.
2023-04-26 PSAAS-13255 Deleting a container with 1000+ artifacts causes UWSGI to run out of memory.

Workaround:
For Waterspout we have swapped the deletion mechanism of containers in the UI from a django deletion to a raw deletion.

This helps us avoid OOMing in Django while preserving audit capability when performing a deletion thanks to a new pg trigger that was added.


In SOAR versions pre 6.3.0, customers running into an OOM when deleting a container with 1000+ artifacts should delete the container via a raw delete using the Template:Delete db containers management command. If this is a cloud customer, then SOAR on-call will need to delete the container for them with their permission.

2023-02-02 PSAAS-12158 User filtering is using first/last name to filter events instead of just username

Workaround:
None
2022-04-08 PSAAS-8541 Unreadable characters sporadically appear in UI

Workaround:
Refresh the browser to reload the page.
Last modified on 12 November, 2024
Welcome to Splunk SOAR (On-premises) 6.2.0   Fixed issues for

This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.2.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters