Splunk® SOAR (On-premises)

Release Notes

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

Known issues for

Release 6.2.1

Date filed Issue number Description
2024-11-13 PSAAS-20654 Shutting down/restarting the system in a SOAR cluster without first shutting down SOAR can cause ingestion intervals to be delayed

Workaround:
Clear stale Ingestion status records from the database by running the following sql:

{noformat}UPDATE ingestion_status SET status='failed', task_state='finished' WHERE status='running' AND start_time < now() - Interval '24 hours';{noformat}

The above will only mark records that are older than 24 hours as failed.

Alternatively, disable polling on old assets and create new ones.

2024-11-06 PSAAS-20434 Utility block pin API does not support all pin colors
2024-10-11 PSAAS-20016 SOAR upgrade failure: Failed to start Splunk SOAR
2024-09-09 PSAAS-19325 Export of playbooks does not work if using the Optional "Path to Playbooks" is specified in source control
2024-08-26 PSAAS-19171 Pip packages upgraded during install, old versions still exist missing METADATA files

Workaround:
See Workaround in [1]
2024-08-13 PSAAS-19036 About page shows "Splunk Version" and "Splunk Build", which are not accurate as Splunk no longer ships with SOAR
2024-08-08 PSAAS-18987 Splunk SOAR (On-premises) Installer fails due to centos 8 mirror deprecation

Workaround:
  • If you are not building or upgrading a cluster, you can skip the glusterfs install step and continue the installation of Splunk SOAR.
    1. Rerun the install command for Splunk SOAR. Make sure you do not skip any prompts. Do not use the -y or --no-prompt command line arguments.
    2. The installer will prompt you to install glusterfs. You can answer no if you are not building or upgrading a clustered deployment.
  • If you are building or upgrading a cluster:
    1. Modify the install_common.py file
      1. On or around line 208, modify the base URL set for the GLUSTER_RPM_SOURCE_BASE_URL_EL8 variable to use vault instead of mirror.
                                GLUSTER_RPM_SOURCE_BASE_URL_EL8 = (
                                "[https://vault.centos.org/centos/8-stream/storage/x86_64/gluster-9/Packages/|https://vault.centos.org/centos/8-stream/storage/x86_64/gluster-9/Packages/] "
                                )
                            
      2. Re-run the installer.

2024-07-25 PSAAS-18799 Cannot delete container from UI or REST call

Workaround:
Using command "phenv delete_containers --id <container ID>" to delete those containers.
2024-07-23 PSAAS-18783 Limit Total Time and Memory Limits for UWSGI Workers

Workaround:
None
2024-07-03 PSAAS-18317 Cascading deletion of Assets, Users, PlaybookRun, and App data when deleting a Container
2024-05-28 PSAAS-17869 SAML auth denied due to duplicate key serial numbers
2024-05-23 PSAAS-17857 Update from source control failing due to playbook name with square braket and colon in its name
2024-05-03 PSAAS-17586 ClusterUpgradePhase task fails when trying to upgrade a single-node cluster
2024-05-01 PSAAS-17559 "0: command not found" error is printed to the console when running start_phantom.sh

Workaround:
This workaround is optional. The error is cosmetic and does not indicate any deeper issue with the Splunk SOAR system.

To stop the error from printing entirely, copy the following code and replace line 13 of the existing start_phantom.sh code.


if remote_db_in_install_conf && ! dev_in_install_conf && [ ${PHANTOM_IS_CLOUD} != 1 ]; then
must_have_minimum_postgresql_version
fi


2024-04-25 PSAAS-17454 slow API requests lead to missing VPE block outputs upon initial load

Workaround:
Manually re-generate outputs by deleting and/or reconfiguring the whole block.
2024-04-17 PSAAS-17299 Invalid Custom Block Names for Long Playbook Names

Workaround:
Rename the classic playbook before running it through the converter
2024-04-17 PSAAS-17305 REST APIs with pagination now give a 400 error
2024-04-03 PSAAS-17135 Investigation page: Playbook run tab is broken for playbook with empty inputs
2024-04-03 PSAAS-17165 VPE: Datapath within loop block doesn't reflect block name change

Workaround:
Before running a playbook that contains a looped block, make sure that all internal datapath configurations of the looped block are accurate and up-to-date by manually checking that each datapath refers to the correct block name.
2024-03-26 PSAAS-16961 Licensing extension not available

Workaround:
Contact Splunk Support at least 30 days before your license is set to expire.
2024-03-25 PSAAS-16959 Enabling the Secret Flag in Global Environment Variables Causes AB Test Connectivity/Poll Now to Fail

Workaround:
Remove the secret flag from all global environment variables for Test Connectivity to work with AB.
2024-03-13 PSAAS-16695 VPE: Action block using Splunk app marked unconfigured when optional parameters not specified
2024-03-06 PSAAS-16641 Global seach checkbox for "Playbook Run" gets unselected when selecting other options

Workaround:
If you are selecting multiple search options, select all other options first, then select the Playbook Run option.
2024-03-06 PSAAS-16642 VPE: Deleting conditions from a filter block changes the conditions for downstream blocks instead of deleting them

Workaround:
If you have already deleted multiple conditions in the filter block configuration panel:

If you have multiple condition labels on the connections downstream from the filter block, check to see if the labels match the conditions you specified in the filter block configuration panel.

  • If the conditions match: No further action is required.
  • If the conditions do not match: For all downstream connections, re-select the condition labels to match the conditions in the filter block configuration panel.

2024-03-04 PSAAS-16560, PSAAS-16564 Git operations on playbook repos fail with "Peer's certificate issuer has been marked as not trusted by the user" when using a custom certificate

Workaround:
There are two options:
  1. Manually configure git to use the certificate that you've previously imported to Splunk SOAR. Log into the system as the user owning the Splunk SOAR installation, using SSH, and execute the following command:
    
    git config --global http.sslCAInfo {PHANTOM_HOME}/etc/cacerts.pem
    
    

    If your Splunk SOAR deployment is a cluster, the git config command will need to be executed on each node in the cluster.

  2. Disable SSL verification for the affected git repo(s). This option is less secure

2024-02-22 PSAAS-16477 Podman does not currently work with redirected image URLs due to Docker Hub authentication token changes

Workaround:
Manually change the image: line in docker-compose.yaml to point to docker.io/phantomsaas/automation_broker:<$SOAR_VERSION>.
2023-07-19 PSAAS-14125 Users without the "Administrator" role cannot delete an Automation Broker, even when given appropriate permissions.

Workaround:
Use an account with the Administrator role to delete any Splunk SOAR Automation Brokers as needed.
2023-04-26 PSAAS-13255 Deleting a container with 1000+ artifacts causes UWSGI to run out of memory.

Workaround:
For Waterspout we have swapped the deletion mechanism of containers in the UI from a django deletion to a raw deletion.

This helps us avoid OOMing in Django while preserving audit capability when performing a deletion thanks to a new pg trigger that was added.


In SOAR versions pre 6.3.0, customers running into an OOM when deleting a container with 1000+ artifacts should delete the container via a raw delete using the Template:Delete db containers management command. If this is a cloud customer, then SOAR on-call will need to delete the container for them with their permission.

2023-02-02 PSAAS-12158 User filtering is using first/last name to filter events instead of just username

Workaround:
None
Last modified on 13 December, 2024
Welcome to Splunk SOAR (On-premises) 6.2.1   Fixed issues for

This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.2.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters