Splunk® SOAR (On-premises)

Install and Upgrade Splunk SOAR (On-premises)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

repositories and signing keys packages

You will need to have the correct source repositories and the corresponding signing keys installed on your instance or cluster nodes in order to upgrade.

For a clustered deployment, install these repositories on cluster nodes that run . You do not need to install them on a Shared Services server, or servers providing external services to your cluster, such as load balancers or proxy servers, PostgreSQL database server, or a GlusterFS fileshare.

For privileged deployments with internet access

requires incremental upgrades from earlier versions. Do not skip any required versions when upgrading .

Use these commands to install the correct source repositories and signing keys package when the instructions call for you to install them. Replace the variables with the version numbers for version of to which you are upgrading.

For example, if you are upgrading from version 5.1.0.70187 to version 5.2.1.78411, and your instance is on Red Hat Enterprise Linux 7, use the following command:

rpm -Uvh https://repo.phantom.us/phantom/<major version.minor version>/base/7Server/x86_64/phantom_repo-<major version.minor version.release.build number>-1.x86_64.rpm

For unprivileged deployments, or deployments with limited internet access the repository and signing key contents are delivered in the upgrade tar file.

OS Command
CentOS 7
rpm -Uvh https://repo.phantom.us/phantom/<major version.minor version>/base/7/x86_64/phantom_repo-<major version.minor version.release.build number>-1.x86_64.rpm
RHEL 7
rpm -Uvh https://repo.phantom.us/phantom/<major version.minor version>/base/7Server/x86_64/phantom_repo-<major version.minor version.release.build number>-1.x86_64.rpm

Replace <major version.minor version> and <major version.minor version.release.build number>-1 with the Splunk Phantom release and build numbers provided in this table:

Release Name Release Major & Minor Version Number Release & Build Number
Splunk Phantom 2.1 2.1 2.1.486
Splunk Phantom 3.0 3.0 3.0.284
Splunk Phantom 3.5 3.5 3.5.210
Splunk Phantom 4.0 4.0 4.0.1068
Splunk Phantom 4.1 4.1 4.1.94
Splunk Phantom 4.2 4.2 4.2.7532
Splunk Phantom 4.5 4.5 4.5.15922
Splunk Phantom 4.6 4.6 4.6.19142
Splunk Phantom 4.8 patch 1 4.8 4.8.24304
Splunk Phantom 4.9 Release 5 4.9 4.9.39220
Splunk Phantom 4.10 4.10 4.10.0.40961
Splunk Phantom 4.10.1 4.10 4.10.1.45070
Splunk Phantom 4.10.2 4.10 4.10.2.47587
Splunk Phantom 4.10.3 4.10 4.10.3.51237
Splunk Phantom 4.10.4 4.10 4.10.4.56260
Splunk Phantom 4.10.6 4.10 4.10.6.61906
Splunk Phantom 4.10.7 4.10 4.10.7.63984
5.0.1 5.0 5.0.1.66250
5.1.0 5.1.0 5.1.0.70187
5.2.1 5.2.1 5.2.1.78411

For deployments without internet access or unprivileged deployments

Contact Splunk Support to get access to the correct installer tar file. Once access has been granted, you can download the file from the Splunk SOAR site.

For deployments with limited internet access

Offline upgrade tar files are available for these operating systems:

  • Red Hat Enterprise Linux 7.6 through 7.9

On your instance or on each cluster node:

  1. Make a directory for the TAR file.
    mkdir /usr/local/src/upgrade-<version>
  2. Change to the created directory.
    cd /usr/local/src/upgrade-<version>
  3. Download the Official Offline RPMs for your operating system from the Splunk SOAR site to the directory.
    1. (Conditional) If you do not see the Official Offline RPMs on the product downloads page, you must submit a support request to get access.
  4. Extract the tar file.
    tar -xvzf phantom_offline_setup_<OS>-<version>.tgz

For unprivileged deployments

On your instance or on each cluster node:

  1. Download the Official Unprivileged Tarball file for your operating system from the Splunk SOAR site.
    1. (Conditional) If you do not see the Official Unprivileged Tarball on the product downloads page, you must submit a support request to get access.
  2. Copy the installation tar file to the directory where was installed. This is the PHANTOM_HOME​ directory.
  3. Do this step as the user account that runs . On an unprivileged virtual machine image or AMI-based deployment, this user account is "phantom."
    Extract the installation tar file.
    tar -xvzf phantom-<version>.tgz
Last modified on 16 June, 2023
upgrade overview and prerequisites   Convert a privileged deployment to an unprivileged deployment

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.1.0, 5.2.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters