Splunk® Phantom (Legacy)

Install and Upgrade Splunk Phantom

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Phantom (Legacy). For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Upgrade an unprivileged Splunk Phantom Cluster

Perform the following tasks to upgrade your unprivileged Splunk Phantom cluster.

  1. Make sure you have read Splunk Phantom upgrade overview and prerequisites.
  2. On each node, Upgrade the operating system and installed packages.
  3. On each node, Copy the installation tar file to the cluster node.
  4. On each node, one at a time, Upgrade individual cluster nodes.
  5. If your cluster uses a Shared Services server made with make_cluster_node.pyc, perform the additional steps for clusters with a Shared Services server.
  6. Once all cluster nodes have been upgraded, reindex playbook data. From Main Menu > Administration > Administration Settings > Search Settings, select "playbooks from the drop-down menu, then click the Reindex Search Data button.

Upgrade the operating system and installed packages

Download the installation tar file from the Splunk Phantom Community portal. If you do not see the required file, contact Phantom support.

Do these steps as either the root user or a user with sudo permissions.

  1. Log in to the Splunk Phantom instance's operating system as either the root user or a user with sudo privileges.
  2. Stop all Splunk Phantom services.
    <PHANTOM_HOME>/bin/stop_phantom.sh
  3. Delete the file /tmp/phantomOvaUpgrade.
    rm -f /tmp/phantomOvaUpgrade
  4. Clear the YUM caches.
    sudo yum clean all
  5. Update the operating system and installed packages.
    sudo yum update --exclude=nginx
  6. If a kernel update was included in your operating system updates, restart the operating system.
    sudo reboot
  7. After restarting the operating system, start Splunk Phantom. Run this script as the user account that user that owns the PHANTOM_HOME directory for unprivileged clusters.
    /<PHANTOM_HOME>/bin/start_phantom.sh

Copy the installation tar file to the cluster node

Do these steps as the user that owns the PHANTOM_HOME directory.

  1. Log in to the operating system as the user account that owns the PHANTOM_HOME directory.
  2. Copy the installation tar file to the directory where Splunk Phantom was installed. This is the PHANTOM_HOME directory.
  3. Extract the installation tar file.
    tar -xvzf phantom-<version>.tgz

Upgrade individual cluster nodes

Do not attempt to upgrade all the nodes at the same time. Upgrade a single node and bring it back online before proceeding to the next cluster node.

When you have upgraded N+1 nodes, where N is equal to half of the number of nodes in you cluster, database migrations will be applied. This can take a significant amount of time, depending on the amount of data in your database and the version of Splunk Phantom from which you're upgrading.

Do these steps as the user that owns the PHANTOM_HOME directory.

  1. Log in to the operating system as the user who owns the PHANTOM_HOME directory.
  2. Run the upgrade script.
    <PHANTOM_HOME>/phantom_tar_install.sh upgrade
    If you don't want to upgrade your installed apps at during the upgrade, you can use the --without-apps option.
    <PHANTOM_HOME>/phantom_tar_install.sh upgrade --without-apps
  3. Once all cluster nodes have been upgraded, reindex playbook data. From Main Menu > Administration > Administration Settings > Search Settings, select Playbooks from the drop-down menu, then click the Reindex Search Data button.

Additional steps for clusters with a Shared Services server

A Shared Services server is a single Splunk Phantom instance that has been converted to provide the following services for a Splunk Phantom cluster :

  • HA Proxy as a load balancer.
  • PostgreSQL database for all Splunk Phantom nodes.
  • Source control repository for playbooks.
  • Fileshare
  • Splunk Enterprise

If your cluster has separated these services to their own cluster nodes and does not use a single Shared Services server created by the make_server_node.pyc script, this section does not apply.

In Splunk Phantom 4.8, SSL certificates and keys have been moved to <PHANTOM_HOME>/data/ssl/. If your cluster uses a Shared Services server created with make_server_node.pyc, you need to move your SSL keys and certificates in order to use backup and restore functions.

Perform the following steps as the user that owns PHANTOM_HOME. Do not use sudo in unprivileged deployments.

  1. Move the directory <PHANTOM_HOME>/data/db/ssl to the new location.
    mv <PHANTOM_HOME>/data/db/ssl <PHANTOM_HOME>data/ssl
  2. Update the PostgreSQL database with the new value for ssl_cert_file.
    postgres psql -h /tmp -p 5432 -c "ALTER SYSTEM SET ssl_cert_file = '<PHANTOM_HOME>/data/ssl/server.cert'"
  3. Update the PostgreSQL database with the new value ssl_key_file.
    postgres psql -h /tmp -p 5432 -c "ALTER SYSTEM SET ssl_key_file = '<PHANTOM_HOME>/data/ssl/server.key'"
Last modified on 08 January, 2021
PREVIOUS
Upgrade a Splunk Phantom cluster
  NEXT
Splunk Phantom default credentials, script options, and sample configuration files

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters