Splunk® Phantom (Legacy)

Install and Upgrade Splunk Phantom

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Phantom (Legacy). For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Splunk Phantom repositories and signing keys packages

You will need to have the correct source repositories and the corresponding signing keys installed on your Splunk Phantom instance or cluster nodes in order to upgrade.

For a clustered deployment, install these repositories on cluster nodes that run Splunk Phantom. You do not need to install them on a Shared Services server, or servers providing external services to your Splunk Phantom cluster, such as load balancers or proxy servers, PostgreSQL database server, or a GlusterFS fileshare.

For privileged Splunk Phantom deployments with internet access

Splunk Phantom requires incremental upgrades from earlier versions. Do not skip any required versions when upgrading Splunk Phantom.

Use these commands to install the correct source repositories and signing keys package when the instructions call for you to install them. Replace the variables with the version numbers for version of Splunk Phantom to which you are upgrading.

For example, if you are upgrading from version 4.10.0.40961 to version 4.10.1.45070, and your instance is on Red Hat Enterprise Linux 7, use the following command:

rpm -Uvh https://repo.phantom.us/phantom/4.10/base/7Server/x86_64/phantom_repo-4.10.1.45070-1.x86_64.rpm

For unprivileged deployments, or deployments with limited internet access the repository and signing key contents are delivered in the upgrade tar file.

OS Command
CentOS 7
rpm -Uvh https://repo.phantom.us/phantom/<major version.minor version>/base/7/x86_64/phantom_repo-<major version.minor version.release.build number>-1.x86_64.rpm
RHEL 7
rpm -Uvh https://repo.phantom.us/phantom/<major version.minor version>/base/7Server/x86_64/phantom_repo-<major version.minor version.release.build number>-1.x86_64.rpm

Replace <major version.minor version> and <major version.minor version.release.build number>-1 with the Splunk Phantom release and build numbers provided in this table:

Splunk Phantom Release Version Splunk Phantom Release and Build Number
2.1 2.1.486
3.0 3.0.284
3.5 3.5.210
4.0 4.0.1068
4.1 4.1.94
4.2 4.2.7532
4.5 4.5.15922
4.6 4.6.19142
4.8 patch 1 4.8.24304
4.9 Release 5 4.9.39220
4.10 4.10.0.40961
4.10.1 4.10.1.45070

For Splunk Phantom deployments without internet access or unprivileged deployments

Contact Splunk Phantom Support to get access to the correct installer tar file. Once access has been granted, you can download the file from the Splunk Phantom community website.

For Splunk Phantom deployments with limited internet access

Offline upgrade tar files are available for these operating systems:

  • Red Hat Enterprise Linux 7.6 through 7.9

On your Splunk Phantom instance or on each cluster node:

  1. Make a directory for the tar file.
    mkdir /usr/local/src/upgrade-<version>
  2. Change to the created directory.
    cd /usr/local/src/upgrade-<version>
  3. Download the Official Offline RPMs for your operating system from the Splunk Phantom community website Product Downloads page to the directory.
    1. (Conditional) If you do not see the Official Offline RPMs on the product downloads page, you must submit a support request to get access.
  4. Extract the tar file.
    tar -xvzf phantom_offline_setup_<OS>-<version>.tgz

For unprivileged Splunk Phantom deployments

On your Splunk Phantom instance or on each cluster node:

  1. Download the Official Unprivileged Tarball file for your operating system from the Splunk Phantom community website Product Downloads page.
    1. (Conditional) If you do not see the Official Unprivileged Tarball on the product downloads page, you must submit a support request to get access.
  2. Copy the installation tar file to the directory where Splunk Phantom was installed. This is the PHANTOM_HOME​ directory.
  3. Do this step as the user account that runs Splunk Phantom. On an unprivileged virtual machine image or AMI-based deployment, this user account is "phantom."
    Extract the installation tar file.
    tar -xvzf phantom-<version>.tgz
Last modified on 22 April, 2021
PREVIOUS
Splunk Phantom upgrade overview and prerequisites
  NEXT
Convert a privileged deployment to an unprivileged deployment

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.10, 4.10.1


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters