After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
Known issues for
Release 6.2.1
Date filed | Issue number | Description |
---|---|---|
2025-01-28 | PSAAS-21598 | SOAR local settings stored in the DB require a commit when in playbook view, but not when in listing page Workaround: Change settings on the playbook listing page instead of the Visual Playbook Editor view. |
2025-01-02 | PSAAS-21211 | Playbook's loop exit condition uses stale container data when determining whether to exit |
2024-11-20 | PSAAS-20760 | Restarting phantom with telemetry off stops logs from being written to spawn.log |
2024-11-13 | PSAAS-20654 | Shutting down/restarting the system in a SOAR cluster without first shutting down SOAR caused ingestion intervals to be delayed Workaround: Clear stale Ingestion status records from the database by running the following sql: {noformat}UPDATE ingestion_status SET status='failed', task_state='finished' WHERE status='running' AND start_time < now() - Interval '24 hours';{noformat} The above will only mark records that are older than 24 hours as failed. Alternatively, disable polling on old assets and create new ones. |
2024-11-06 | PSAAS-20434 | Utility block pin API does not support all pin colors |
2024-10-11 | PSAAS-20016 | SOAR Upgrade failure due to attempting to install SOAR when SOAR has already been installed |
2024-09-09 | PSAAS-19325 | Export of playbooks does not work if using the Optional "Path to Playbooks" is specified in source control |
2024-08-26 | PSAAS-19171 | Pip packages upgraded during install, old versions still exist missing METADATA files Workaround:
|
2024-08-13 | PSAAS-19036 | About page shows "Splunk Version" and "Splunk Build", which are not accurate as Splunk no longer ships with SOAR |
2024-08-08 | PSAAS-18987 | Splunk SOAR (On-premises) Installer fails due to centos 8 mirror deprecation Workaround:
|
2024-07-25 | PSAAS-18799 | Cannot delete container from UI or REST call Workaround: Using command "phenv delete_containers --id <container ID>" to delete those containers. |
2024-07-23 | PSAAS-18783 | Limit Total Time and Memory Limits for UWSGI Workers Workaround: None |
2024-07-03 | PSAAS-18317 | Deleting the Playbook Run, or removing from the database the Asset, User, or App which created a container may cascade into deleting that container and its associated data Workaround: Upgrade to Splunk SOAR 6.3.0 or higher to remove the possibility of unintended container loss by any cause. If you cannot upgrade to Splunk SOAR 6.3.0 or higher at this time, you can use the SOAR's shell, ( phenv phantom_shell ) to manually prepare for the deletion of playbok_runs, for which you will need a list of affected playbook_run IDs. For assets, users, or ingestion apps, deleting via the REST API is a "soft delete" and is generally safe, with one notable exception for apps listed below
|
2024-04-25 | PSAAS-17454 | slow API requests lead to missing VPE block outputs upon initial load Workaround: Manually re-generate outputs by deleting and/or reconfiguring the whole block. |
2024-04-17 | PSAAS-17305 | REST APIs with pagination give a 400 error |
2024-04-03 | PSAAS-17135 | Investigation page: Playbook run tab is broken for playbook with empty inputs |
2024-04-03 | PSAAS-17165 | VPE: Datapath within loop block doesn't reflect block name change Workaround: Before running a playbook that contains a looped block, make sure that all internal datapath configurations of the looped block are accurate and up-to-date by manually checking that each datapath refers to the correct block name. |
2024-03-26 | PSAAS-16961 | Licensing extension not available Workaround: Contact Splunk Support at least 30 days before your license is set to expire. |
2024-03-25 | PSAAS-16959 | Enabling the Secret Flag in Global Environment Variables Causes AB Test Connectivity/Poll Now to Fail Workaround: Remove the secret flag from all global environment variables for Test Connectivity to work with AB. |
2024-03-13 | PSAAS-16695 | VPE: Action block using Splunk app marked unconfigured when optional parameters not specified |
2024-03-06 | PSAAS-16641 | Global seach checkbox for "Playbook Run" gets unselected when selecting other options Workaround: If you are selecting multiple search options, select all other options first, then select the Playbook Run option. |
2024-03-06 | PSAAS-16642 | VPE: Deleting conditions from a filter block changes the conditions for downstream blocks instead of deleting them Workaround: If you have already deleted multiple conditions in the filter block configuration panel: If you have multiple condition labels on the connections downstream from the filter block, check to see if the labels match the conditions you specified in the filter block configuration panel.
|
2024-03-04 | PSAAS-16560, PSAAS-16564 | Git operations on playbook repos fail with "Peer's certificate issuer has been marked as not trusted by the user" when using a custom certificate Workaround: There are two options:
|
2024-02-22 | PSAAS-16477 | Podman does not currently work with redirected image URLs due to Docker Hub authentication token changes Workaround: Manually change the image: line in docker-compose.yaml to point to docker.io/phantomsaas/automation_broker:<$SOAR_VERSION>. |
2024-01-30 | PSAAS-16206 | Global Environment Variables are incorrectly applied by the Automation Broker when the variable is named as all lowercase letters Workaround: Use uppercase letters only. |
2023-07-19 | PSAAS-14125 | Users without the "Administrator" role cannot delete an Automation Broker, even when given appropriate permissions. Workaround: Use an account with the Administrator role to delete any Splunk SOAR Automation Brokers as needed. |
2023-04-26 | PSAAS-13255 | Deleting a container with 1000+ artifacts causes UWSGI to run out of memory. Workaround: For Waterspout we have swapped the deletion mechanism of containers in the UI from a django deletion to a raw deletion. This helps us avoid OOMing in Django while preserving audit capability when performing a deletion thanks to a new pg trigger that was added.
In SOAR versions pre 6.3.0, customers running into an OOM when deleting a container with 1000+ artifacts should delete the container via a raw delete using the Template:Delete db containers management command. If this is a cloud customer, then SOAR on-call will need to delete the container for them with their permission. |
2023-02-02 | PSAAS-12158 | User filtering is using first/last name to filter events instead of just username Workaround: None |
Welcome to Splunk SOAR (On-premises) 6.2.1 | Fixed issues for |
This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.2.1
Feedback submitted, thanks!