Splunk® SOAR (On-premises)

Release Notes

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, however, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

Known issues for

Release 6.2.2

Date filed Issue number Description
2025-01-14 PSAAS-21386 REHL8 migration Soar upgrade 6.2.2 ( /admin/event_settings/response) not rendering
2024-11-20 PSAAS-20760 Restarting phantom with telemetry off stops logs from being written to spawn.log
2024-11-06 PSAAS-20434 VPE: Utility block pin API does not support all pin colors
2024-11-01 PSAAS-20358 Reporting : "Events resolved" and "Closed events" logic mismatch
2024-10-28 PSAAS-20310 Deleting role and recreating it with the same name caused issue in playbook prompt block

Workaround:
On SOAR on-prem, the duplicate entries for the same role name can be removed from the table "role" and ensure the remained one is not disabled.
2024-10-21 PSAAS-20142 VPE: Discarding changes doesn't reset the playbook editor for unconfigured action block
2024-10-04 PSAAS-19942 /opt/phantom/var/log/nginx/error.log is hard coded in config leads to error: No such file or directory
2024-10-02 PSAAS-19905 VPE: Filter condition fails to process empty list if it comes from action block
2024-09-27 PSAAS-19836 Input playbooks, missing menu to provide the inputs to test the playbook in the debugger

Workaround:
The feature is missing, user cannot test the playbook
2024-09-12 PSAAS-19457 phantom.get_notes() fails with "failed to retrieve note Error: That page contains no results" when number of notes is multiple of page size
2024-09-06 PSAAS-19321 Non Root Installs: Do not allow phantom services to be run with root on non-root installs
2024-09-06 PSAAS-19320 warm-standby: "--standby-mode --convert-to-primary" results in "File exists" when keystore is a mounted filesystem, and leaves soar instance in an unusable state with the potential for data loss
2024-08-16 PSAAS-19075 warm-standby: hot_standby parameter still on after "--standby-mode --off", resulting in unexpected behavior

Workaround:
After turning off warm standby using the command phenv python setup_warm_standby.pyc --standby-mode --off use the command phsvc restart postgresql to restart PostgreSQL.
2024-08-13 PSAAS-19036 About page shows "Splunk Version" and "Splunk Build", which are not accurate as Splunk no longer ships with SOAR
2024-08-08 PSAAS-18987 Splunk SOAR (On-premises) Installer fails due to centos 8 mirror deprecation

Workaround:
  • If you are not building or upgrading a cluster, you can skip the glusterfs install step and continue the installation of Splunk SOAR.
    1. Rerun the install command for Splunk SOAR. Make sure you do not skip any prompts. Do not use the -y or --no-prompt command line arguments.
    2. The installer will prompt you to install glusterfs. You can answer no if you are not building or upgrading a clustered deployment.
  • If you are building or upgrading a cluster:
    1. Modify the install_common.py file
      1. On or around line 208, modify the base URL set for the GLUSTER_RPM_SOURCE_BASE_URL_EL8 variable to use vault instead of mirror. 
                                GLUSTER_RPM_SOURCE_BASE_URL_EL8 = (
                        "[https://vault.centos.org/centos/8-stream/storage/x86_64/gluster-9/Packages/|https://vault.centos.org/centos/8-stream/storage/x86_64/gluster-9/Packages/] "
                        )
      2. Re-run the installer.

2024-08-05 PSAAS-18888 warm-standby: "--standby-mode --convert-to-primary" results in "File exists" when keystore is a mounted filesystem, and leaves soar instance in an unusable state with the potential for data loss
2024-07-25 PSAAS-18798 VPE: Missing data paths in prompt block
2024-07-03 PSAAS-18317 Deleting the Playbook Run, or removing from the database the Asset, User, or App which created a container may cascade into deleting that container and its associated data

Workaround:
Upgrade to Splunk SOAR 6.3.0 or higher to remove the possibility of unintended container loss by any cause. If you cannot upgrade to Splunk SOAR 6.3.0 or higher at this time, you can use the SOAR's shell, (phenv phantom_shell) to manually prepare for the deletion of playbok_runs, for which you will need a list of affected playbook_run IDs. For assets, users, or ingestion apps, deleting via the REST API is a "soft delete" and is generally safe, with one notable exception for apps listed below
  • Playbook Runs 
    
phenv phantom_shell

>>> ids = [<list>, <of>, <playbook_run>, <ids>]

>>> Container.objects.filter(closing_rule_run_id__in=ids).update(closing_rule_run=None)
  • Apps

    Normally, apps are soft deleted. However, there is an edge case to be aware of: installing a previously deleted app for which all assets have been deleted or orphaned may delete containers and associated data originally created by the app, if and only if the app reinstallation process fails. This can be prevented by incrementing an app package's version in order to upgrade, instead of performing a delete and reinstall of the same app version.


2024-06-10 PSAAS-17997 Playbook Listing page tabs show incorrect list, except "All" tab
2024-05-14 PSAAS-17715 VPE CF block resource warning not being removed upon reconfiguring

Workaround:
The warning is only cosmetic and will not impact playbook run. To remove the warning, instead of reconfiguring the block just completely delete and re-add a utility block.
2024-03-13 PSAAS-16695 VPE: Action block using Splunk app marked unconfigured when optional parameters not specified
2024-03-06 PSAAS-16642 VPE: Deleting conditions from a filter block changes the conditions for downstream blocks instead of deleting them

Workaround:
If you have already deleted multiple conditions in the filter block configuration panel:

If you have multiple condition labels on the connections downstream from the filter block, check to see if the labels match the conditions you specified in the filter block configuration panel.

  • If the conditions match: No further action is required.
  • If the conditions do not match: For all downstream connections, re-select the condition labels to match the conditions in the filter block configuration panel.

2024-02-22 PSAAS-16477 Podman does not currently work with redirected image URLs due to Docker Hub authentication token changes

Workaround:
Manually change the image: line in docker-compose.yaml to point to docker.io/phantomsaas/automation_broker:<$SOAR_VERSION>.
2024-01-30 PSAAS-16206 Global Environment Variables are incorrectly applied by the Automation Broker when the variable is named as all lowercase letters

Workaround:
Use uppercase letters only.
2023-08-25 PSAAS-14609 Automation Broker: Broker status should be updated if the broker directory is no longer present
2023-04-26 PSAAS-13255 Deleting a container with 1000+ artifacts causes UWSGI to run out of memory.

Workaround:
For Waterspout we have swapped the deletion mechanism of containers in the UI from a django deletion to a raw deletion.

This helps us avoid OOMing in Django while preserving audit capability when performing a deletion thanks to a new pg trigger that was added.


In SOAR versions pre 6.3.0, customers running into an OOM when deleting a container with 1000+ artifacts should delete the container via a raw delete using the Template:Delete db containers management command. If this is a cloud customer, then SOAR on-call will need to delete the container for them with their permission.

Last modified on 20 February, 2025
Welcome to Splunk SOAR (On-premises) 6.2.2   Fixed issues for

This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.2.2

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters