Upgrade a single unprivileged Splunk Phantom instance
It is now possible to upgrade directly to later releases of Splunk SOAR (On-premises) from Splunk Phantom 4.10.7.
Privileged deployments upgrade directly to Splunk SOAR (On-premises) release 5.3.6, convert to unprivileged, then immediately upgrade to Splunk SOAR (On-premises) release 6.1.1.
Unprivileged deployments upgrade directly to Splunk SOAR (On-premises) release 6.1.1
See Splunk Phantom upgrade overview and prerequisites for more information.
Follow these steps to upgrade your unprivileged Splunk Phantom instance, or to convert and upgrade your existing, privileged Splunk Phantom instance to an unprivileged instance. Use these steps even if your unprivileged Splunk Phantom instance has limited access to the internet. The installation TAR file contains everything needed to complete this upgrade.
Converting a privileged Splunk Phantom instance to an unprivileged instance cannot be undone. Make sure you wish to convert before running the upgrade.
- Make sure you have read Splunk Phantom upgrade overview and prerequisites.
- Update the operating system and installed packages. See Prepare your Splunk Phantom deployment for upgrade.
- Download the Official Unprivileged Tarball file for your operating system from the Splunk Phantom community website Product Downloads page.
- (Conditional) If you do not see the Official Unprivileged Tarball on the product downloads page, you must submit a support request to get access.
- Log in to the Splunk Phantom instance's operating system as the user account that runs Splunk Phantom. On an unprivileged virtual machine image or AMI-based deployment, this user account is "phantom."
- If you use a warm standby or use ibackup.pyc for backups, you must disable those features before proceeding. If you are not using either of those features, you may skip these sub-steps.
- Disable warm standby. See Upgrade or maintain warm standby instances in Administer Splunk Phantom.
- If you are using automation to run ibackup.pyc to make backups, cancel backups that could run during your upgrade window. For example, if you have configured a cron job to run ibackup.pyc, disable that cron job.
- Disable WAL archiving for the PostgreSQL database. Set the
archive_mode
to "off" in the file<$PHANTOM_HOME>/data/db/postgresql.phantom.conf
.sed -i -e 's/archive_mode = on/archive_mode = off/i' /<$PHANTOM_HOME>/data/db/postgresql.phantom.conf
- Restart PostgreSQL to make the configuration change take effect. For upgrading a system that is running PostgreSQL version 11:
/<$PHANTOM_HOME>/bin/phsvc restart postgresql-11
- As the user 'phantom', copy the installation tar file to the directory where Splunk Phantom is installed. This is the PHANTOM_HOME directory. On an unprivileged virtual machine image or AMI-based deployment, this directory is /opt/phantom/.
- As the user 'phantom', extract the installation tar file.
tar -xvzf phantom-<version>.tgz
- Run the upgrade script with the
nohup
command. Usingnohup
helps you avoid issues in case the SSH session times out, such as upgrade failure or system wipe and rebuild.To upgrade all the installed apps during the platform upgrade:nohup /<$PHANTOM_HOME>/bin/phenv /<$PHANTOM_HOME>/phantom_tar_install.sh upgrade --no-prompt --without-apps
nohup /<$PHANTOM_HOME>/bin/phenv /<$PHANTOM_HOME>/phantom_tar_install.sh --no-prompt upgrade
Because upgraded apps may require changes to their asset configuration, apps should be individually evaluated and upgraded using Main Menu > Apps, then clicking the APP UPDATES button.
- If you are converting a privileged instance to an unprivileged instance as part of an upgrade, run the upgrade script. See Convert a privileged deployment to an unprivileged deployment for more information.
sudo /<$PHANTOM_HOME>/bin/phenv /<$PHANTOM_HOME>/phantom_tar_install.sh upgrade
Do this only if upgrading from Splunk Phantom 4.9 to Splunk Phantom 4.10.1. Do not do this step if you are upgrading from Splunk Phantom 4.10 to Splunk Phantom 4.10.1.
- If the upgrade script produced the following message: Then run the command:
To improve database performance, after completing the upgrade, run: /<$PHANTOM_HOME>/bin/phenv /<$PHANTOM_HOME>/usr/postgresql/bin/vacuumdb -h /tmp --all --analyze-in-stages
/<$PHANTOM_HOME>/bin/phenv /<$PHANTOM_HOME>/usr/postgresql/bin/vacuumdb -h /tmp --all --analyze-in-stages
- After the upgrade is complete, from Main Menu > Administration > Administration Settings > Search Settings, select Playbooks from the drop-down menu, then click the Reindex Search Data button.
Upgrade a single Splunk Phantom instance on a system with limited internet access | Upgrade a Splunk Phantom cluster |
This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7
Feedback submitted, thanks!