Splunk® SOAR (On-premises)

Release Notes

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

Known issues for

Release 6.2.1

Date filed Issue number Description
2025-01-28 PSAAS-21598 SOAR local settings stored in the DB require a commit when in playbook view, but not when in listing page

Workaround:
Change settings on the playbook listing page instead of the Visual Playbook Editor view.
2025-01-02 PSAAS-21211 Playbook's loop exit condition uses stale container data when determining whether to exit
2024-11-20 PSAAS-20760 Restarting phantom with telemetry off stops logs from being written to spawn.log
2024-11-13 PSAAS-20654 Shutting down/restarting the system in a SOAR cluster without first shutting down SOAR caused ingestion intervals to be delayed

Workaround:
Clear stale Ingestion status records from the database by running the following sql:

{noformat}UPDATE ingestion_status SET status='failed', task_state='finished' WHERE status='running' AND start_time < now() - Interval '24 hours';{noformat}

The above will only mark records that are older than 24 hours as failed.

Alternatively, disable polling on old assets and create new ones.

2024-11-06 PSAAS-20434 Utility block pin API does not support all pin colors
2024-10-11 PSAAS-20016 SOAR Upgrade failure due to attempting to install SOAR when SOAR has already been installed
2024-09-09 PSAAS-19325 Export of playbooks does not work if using the Optional "Path to Playbooks" is specified in source control
2024-08-26 PSAAS-19171 Pip packages upgraded during install, old versions still exist missing METADATA files

Workaround:
  • Remove the older versions(directories listed in the warning) manually from the site-packages directory for filelock, platformdirs, referencing, soupsieve and virtualenv.
  • Upgrade pip: 
    phenv pip3 install --upgrade pip
  • purge pip cache: 
    phenv pip3 cache purge
  • Re-install pip packages

2024-08-13 PSAAS-19036 About page shows "Splunk Version" and "Splunk Build", which are not accurate as Splunk no longer ships with SOAR
2024-08-08 PSAAS-18987 Splunk SOAR (On-premises) Installer fails due to centos 8 mirror deprecation

Workaround:
  • If you are not building or upgrading a cluster, you can skip the glusterfs install step and continue the installation of Splunk SOAR.
    1. Rerun the install command for Splunk SOAR. Make sure you do not skip any prompts. Do not use the -y or --no-prompt command line arguments.
    2. The installer will prompt you to install glusterfs. You can answer no if you are not building or upgrading a clustered deployment.
  • If you are building or upgrading a cluster:
    1. Modify the install_common.py file
      1. On or around line 208, modify the base URL set for the GLUSTER_RPM_SOURCE_BASE_URL_EL8 variable to use vault instead of mirror. 
                                GLUSTER_RPM_SOURCE_BASE_URL_EL8 = (
                        "[https://vault.centos.org/centos/8-stream/storage/x86_64/gluster-9/Packages/|https://vault.centos.org/centos/8-stream/storage/x86_64/gluster-9/Packages/] "
                        )
      2. Re-run the installer.

2024-07-25 PSAAS-18799 Cannot delete container from UI or REST call

Workaround:
Using command "phenv delete_containers --id <container ID>" to delete those containers.
2024-07-23 PSAAS-18783 Limit Total Time and Memory Limits for UWSGI Workers

Workaround:
None
2024-07-03 PSAAS-18317 Deleting the Playbook Run, or removing from the database the Asset, User, or App which created a container may cascade into deleting that container and its associated data

Workaround:
Upgrade to Splunk SOAR 6.3.0 or higher to remove the possibility of unintended container loss by any cause. If you cannot upgrade to Splunk SOAR 6.3.0 or higher at this time, you can use the SOAR's shell, (phenv phantom_shell) to manually prepare for the deletion of playbok_runs, for which you will need a list of affected playbook_run IDs. For assets, users, or ingestion apps, deleting via the REST API is a "soft delete" and is generally safe, with one notable exception for apps listed below
  • Playbook Runs 
    
phenv phantom_shell

>>> ids = [<list>, <of>, <playbook_run>, <ids>]

>>> Container.objects.filter(closing_rule_run_id__in=ids).update(closing_rule_run=None)

<pre></code></li>

<li>Apps

<p>Normally, apps are soft deleted. However, there is an edge case to be aware of: installing a previously deleted app for which all assets have been deleted or orphaned may delete containers and associated data originally created by the app, if and only if the app reinstallation process fails. This can be prevented by incrementing an app package's version in order to upgrade, instead of performing a delete and reinstall of the same app version.</p>

</li></ul><br/> 
|- 
| 2024-05-28||PSAAS-17869||SAML auth denied due to duplicate key serial numbers 
|- 
| 2024-05-23||PSAAS-17857||Update from source control failing due to playbook name with square braket and colon in its name 
|- 
| 2024-05-03||PSAAS-17586||ClusterUpgradePhase task fails when trying to upgrade a single-node cluster 
|- 
| 2024-05-01||PSAAS-17559||"0: command not found" error is printed to the console when running start_phantom.sh<br/><br/>Workaround:<br/>This workaround is optional. The error is cosmetic and does not indicate any deeper issue with the Splunk SOAR system.

To stop the error from printing entirely, copy the following code and replace line 13 of the existing start_phantom.sh code. 

<div class="samplecode"><pre>

if remote_db_in_install_conf && ! dev_in_install_conf && [ ${PHANTOM_IS_CLOUD} != 1 ]; then
must_have_minimum_postgresql_version
fi

2024-04-25 PSAAS-17454 slow API requests lead to missing VPE block outputs upon initial load

Workaround:
Manually re-generate outputs by deleting and/or reconfiguring the whole block.
2024-04-17 PSAAS-17305 REST APIs with pagination give a 400 error
2024-04-03 PSAAS-17135 Investigation page: Playbook run tab is broken for playbook with empty inputs
2024-04-03 PSAAS-17165 VPE: Datapath within loop block doesn't reflect block name change

Workaround:
Before running a playbook that contains a looped block, make sure that all internal datapath configurations of the looped block are accurate and up-to-date by manually checking that each datapath refers to the correct block name.
2024-03-26 PSAAS-16961 Licensing extension not available

Workaround:
Contact Splunk Support at least 30 days before your license is set to expire.
2024-03-25 PSAAS-16959 Enabling the Secret Flag in Global Environment Variables Causes AB Test Connectivity/Poll Now to Fail

Workaround:
Remove the secret flag from all global environment variables for Test Connectivity to work with AB.
2024-03-13 PSAAS-16695 VPE: Action block using Splunk app marked unconfigured when optional parameters not specified
2024-03-06 PSAAS-16641 Global seach checkbox for "Playbook Run" gets unselected when selecting other options

Workaround:
If you are selecting multiple search options, select all other options first, then select the Playbook Run option.
2024-03-06 PSAAS-16642 VPE: Deleting conditions from a filter block changes the conditions for downstream blocks instead of deleting them

Workaround:
If you have already deleted multiple conditions in the filter block configuration panel:

If you have multiple condition labels on the connections downstream from the filter block, check to see if the labels match the conditions you specified in the filter block configuration panel.

  • If the conditions match: No further action is required.
  • If the conditions do not match: For all downstream connections, re-select the condition labels to match the conditions in the filter block configuration panel.

2024-03-04 PSAAS-16560, PSAAS-16564 Git operations on playbook repos fail with "Peer's certificate issuer has been marked as not trusted by the user" when using a custom certificate

Workaround:
There are two options:
  1. Manually configure git to use the certificate that you've previously imported to Splunk SOAR. Log into the system as the user owning the Splunk SOAR installation, using SSH, and execute the following command: 
    
git config --global http.sslCAInfo {PHANTOM_HOME}/etc/cacerts.pem

    If your Splunk SOAR deployment is a cluster, the git config command will need to be executed on each node in the cluster.

  2. Disable SSL verification for the affected git repo(s). This option is less secure

2024-02-22 PSAAS-16477 Podman does not currently work with redirected image URLs due to Docker Hub authentication token changes

Workaround:
Manually change the image: line in docker-compose.yaml to point to docker.io/phantomsaas/automation_broker:<$SOAR_VERSION>.
2024-01-30 PSAAS-16206 Global Environment Variables are incorrectly applied by the Automation Broker when the variable is named as all lowercase letters

Workaround:
Use uppercase letters only.
2023-07-19 PSAAS-14125 Users without the "Administrator" role cannot delete an Automation Broker, even when given appropriate permissions.

Workaround:
Use an account with the Administrator role to delete any Splunk SOAR Automation Brokers as needed.
2023-04-26 PSAAS-13255 Deleting a container with 1000+ artifacts causes UWSGI to run out of memory.

Workaround:
For Waterspout we have swapped the deletion mechanism of containers in the UI from a django deletion to a raw deletion.

This helps us avoid OOMing in Django while preserving audit capability when performing a deletion thanks to a new pg trigger that was added.


In SOAR versions pre 6.3.0, customers running into an OOM when deleting a container with 1000+ artifacts should delete the container via a raw delete using the Template:Delete db containers management command. If this is a cloud customer, then SOAR on-call will need to delete the container for them with their permission.

2023-02-02 PSAAS-12158 User filtering is using first/last name to filter events instead of just username

Workaround:
None
Last modified on 13 February, 2025
Welcome to Splunk SOAR (On-premises) 6.2.1   Fixed issues for

This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.2.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters