Splunk® Phantom (Legacy)

Install and Upgrade Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

Upgrade a single Splunk Phantom instance

It is now possible to upgrade directly to later releases of Splunk SOAR (On-premises) from Splunk Phantom 4.10.7.

Privileged deployments upgrade directly to Splunk SOAR (On-premises) release 5.3.6, convert to unprivileged, then immediately upgrade to Splunk SOAR (On-premises) release 6.1.1.

Unprivileged deployments upgrade directly to Splunk SOAR (On-premises) release 6.1.1

See Splunk Phantom upgrade overview and prerequisites for more information.

Follow these steps to upgrade your Splunk Phantom instance.

  1. Make sure you have read and done the steps from Splunk Phantom upgrade overview and prerequisites.
  2. Log in to the Splunk Phantom instance's operating system as either the root user or a user with sudo privileges.
  3. If you use a warm standby or use ibackup.pyc for backups, you must disable those features before proceeding. If you are not using either of those features, you may skip these sub-steps.
    1. Disable warm standby. See Upgrade or maintain warm standby instances in Administer Splunk Phantom.

      If you have already disabled warm standby, cancelled backups, and set archive_mode to "off", skip these steps.

    2. If you are using automation to run ibackup.pyc to make backups, cancel backups that could run during your upgrade window. For example, if you have configured a cron job to run ibackup.pyc, disable that cron job.
    3. Disable WAL archiving for the PostgreSQL database. Set the archive_mode to "off" in the file /opt/phantom/data/db/postgresql.phantom.conf.
      sed -i -e 's/archive_mode = on/archive_mode = off/i' /opt/phantom/data/db/postgresql.phantom.conf
    4. Restart PostgreSQL to make the configuration change take effect. For upgrading a system that is running PostgreSQL version 11:
      /<$PHANTOM_HOME>/bin/phsvc restart postgresql-11
  4. Run the upgrade script. You will be prompted during this script for your Splunk Phantom Community portal login.
    For example, as the root user:
    /opt/phantom/bin/phantom_setup.sh upgrade --without-apps
    However, if you want to upgrade your installed apps during an online upgrade, run this command as the root user:
    /opt/phantom/bin/phantom_setup.sh upgrade 
    The the phantom_setup.sh script is only included when the phantom_repo RPM package is installed.

    Because upgraded apps may require changes to their asset configuration, apps should be individually evaluated and upgraded using Main Menu > Apps, then clicking the APP UPDATES button.

  5. If the upgrade script produced the following message:
    To improve database performance, after completing the upgrade, run: su - postgres -c '/usr/pgsql-11/bin/vacuumdb -h /tmp --all --analyze-in-stages'
    Then run the command:
    su - postgres -c '/usr/pgsql-11/bin/vacuumdb -h /tmp --all --analyze-in-stages'
  6. After the upgrade is complete, from Main Menu > Administration > Administration Settings > Search Settings, select Playbook from the drop-down menu, then click the Reindex Search Data button.
Last modified on 26 September, 2023
Convert a privileged deployment to an unprivileged deployment   Upgrade a single Splunk Phantom instance on a system with limited internet access

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters