Known issues for Splunk SOAR (On-premises)

Release 6.3.1

Splunk SOAR version 6.3.1 includes the following known issues.

Date filed Issue number Description
2025-03-17PSAAS-22485Usernames containing commas (,) causing prompt block execution failures in playbooks
2025-03-03PSAAS-22258Report pdf fails to download
Workaround:
Take a snap of your environment before you follow these steps.
  1. Verify which wkhtmltopdf package to download.
    https://github.com/wkhtmltopdf/packaging/releases/0.12.6-1
  2. From the SOAR CLI download wkhtmltopdf: (example shown is for Centos/RHEL 8)
    wget https://github.com/wkhtmltopdf/packaging/releases/0.12.6-1/wkhtmltox-0.12.6-1.centos8.x86_64.rpm
  3. Yum install any required dependancies. (example shown is for a default install of Centos 8)
    yum install -y libX11 libXext libXrender libjpeg xorg-x11-fonts-75dpi xorg-x11-fonts-Type1
  4. Install wkhtmltopdf:
    rpm -Uvh wkhtmltox-0.12.6-1.centos8.x86_64.rpm
  5. Symlink wkhtmltopdf to /usr/bin:
    ln -s /usr/local/bin/wkhtmlto* /usr/bin/
  6. Restart SOAR. (example shown uses the default SOAR install path)
    /opt/phantom/bin/stop_phantom.sh && /opt/phantom/bin/start_phantom.sh
2025-02-28PSAAS-22217Notes editing in events reverts if you switch tabs before saving
2025-02-06PSAAS-21951VPE: Prompt "markdown supported" is appended to question for response type "1-100" and "Custom Range"
2025-02-01PSAAS-21762Mobile: App cannot display any data (events, etc) from registered Soar instance
2025-01-15PSAAS-21401Executive report: Closed events over time chart does not display properly
2025-01-10PSAAS-21345Data preview is not refreshing the start block information when a new playbook is ran
Workaround:
Refresh the page after running a playbook to observe a change in the container.
2025-01-02PSAAS-21211Playbook's loop exit condition uses stale container data when determining whether to exit
2024-12-19PSAAS-21155VPE: Python editor and canvas are disabled when all python code is removed
2024-12-03PSAAS-20901supervisord failing to start on warm standby instance
2024-11-20PSAAS-20760Restarting phantom with telemetry off stops logs from being written to spawn.log
2024-11-18PSAAS-20667VPE: Creating a new CEF field in datapath menu doesn't appear editable
2024-11-13PSAAS-20654Shutting down/restarting the system in a SOAR cluster without first shutting down SOAR caused ingestion intervals to be delayed
Workaround:
Clear stale Ingestion status records from the database by running the following sql:

{noformat}UPDATE ingestion_status SET status='failed', task_state='finished' WHERE status='running' AND start_time < now() - Interval '24 hours';{noformat}

The above will only mark records that are older than 24 hours as failed.

Alternatively, disable polling on old assets and create new ones.

2024-11-06PSAAS-20437VPE: 'Key' field not editable
Workaround:
Copy the information you want to add and paste it into the key field. Right-click or control-click your mouse and select the Paste option from the context menu. Keyboard shortcuts do not work to paste information into this field.
2024-10-28PSAAS-20299VPE: Slider bar in Debugger tab is too tiny to control
2024-10-21PSAAS-20147VPE doesn't prevent user from spamming "Save and run" button, which can overload SOAR
2024-10-18PSAAS-20124Currently selected block in VPE may not be highlighted correctly
2024-10-16PSAAS-20077, PSAAS-20465VPE: Debugger Logs get messed up with regular log statements
Workaround:
The user has to have enough understanding of SOAR to navigate how the debugger has messed up and extract the right data
2024-10-15PSAAS-20040VPE: Order of blocks within Block results tab is incorrect
Workaround:
Customer can still accomplish flow
2024-10-11PSAAS-20016SOAR Upgrade failure due to attempting to install SOAR when SOAR has already been installed
2024-10-04PSAAS-19942/opt/phantom/var/log/nginx/error.log is hard coded in config leads to error: No such file or directory
2024-09-27PSAAS-19843Playbook-type blocks: cannot filter on known data types, some input datapaths cannot be copied
Workaround:
Do not use the known data types filter.
To copy a datapath, use the datapath picker in the configuration panel on the left of the screen.
2024-09-12PSAAS-19457phantom.get_notes() fails with "failed to retrieve note Error: That page contains no results" when number of notes is multiple of page size
2024-04-17PSAAS-17305REST APIs with pagination give a 400 error
2024-03-25PSAAS-16959Enabling the Secret Flag in Global Environment Variables Causes Automation Broker Test Connectivity/Poll Now to Fail
Workaround:
Remove the secret flag from all global environment variables for Test Connectivity to work with AB.
2024-03-13PSAAS-16695VPE: Action block using Splunk app marked unconfigured when optional parameters not specified
2024-03-06PSAAS-16642VPE: Deleting conditions from a filter block changes the conditions for downstream blocks instead of deleting them
Workaround:
If you have already deleted multiple conditions in the filter block configuration panel:

If you have multiple condition labels on the connections downstream from the filter block, check to see if the labels match the conditions you specified in the filter block configuration panel.

  • If the conditions match: No further action is required.
  • If the conditions do not match: For all downstream connections, re-select the condition labels to match the conditions in the filter block configuration panel.
2024-02-22PSAAS-16477Podman does not currently work with redirected image URLs due to Docker Hub authentication token changes
Workaround:
Manually change the image: line in docker-compose.yaml to point to
docker.io/phantomsaas/automation_broker:<$SOAR_VERSION>.
2024-01-30PSAAS-16206Global Environment Variables are incorrectly applied by the Automation Broker when the variable is named as all lowercase letters
Workaround:
Use uppercase letters only.
2023-08-25PSAAS-14609Automation Broker: Broker status should be updated if the broker directory is no longer present