Upgrade a single Splunk Phantom instance
It is now possible to upgrade directly to later releases of Splunk SOAR (On-premises) from Splunk Phantom 4.10.7.
Privileged deployments upgrade directly to Splunk SOAR (On-premises) release 5.3.6, convert to unprivileged, then immediately upgrade to Splunk SOAR (On-premises) release 6.1.1.
Unprivileged deployments upgrade directly to Splunk SOAR (On-premises) release 6.1.1
See Splunk Phantom upgrade overview and prerequisites for more information.
Follow these steps to upgrade your Splunk Phantom instance.
- Make sure you have read and done the steps from Splunk Phantom upgrade overview and prerequisites.
- Log in to the Splunk Phantom instance's operating system as either the root user or a user with sudo privileges.
- If you use a warm standby or use ibackup.pyc for backups, you must disable those features before proceeding. If you are not using either of those features, you may skip these sub-steps.
- Disable warm standby. See Upgrade or maintain warm standby instances in Administer Splunk Phantom.
If you have already disabled warm standby, cancelled backups, and set
archive_mode
to "off", skip these steps. - If you are using automation to run ibackup.pyc to make backups, cancel backups that could run during your upgrade window. For example, if you have configured a cron job to run ibackup.pyc, disable that cron job.
- Disable WAL archiving for the PostgreSQL database. Set the
archive_mode
to "off" in the file/opt/phantom/data/db/postgresql.phantom.conf
.sed -i -e 's/archive_mode = on/archive_mode = off/i' /opt/phantom/data/db/postgresql.phantom.conf
- Restart PostgreSQL to make the configuration change take effect. For upgrading a system that is running PostgreSQL version 11:
/<$PHANTOM_HOME>/bin/phsvc restart postgresql-11
- Disable warm standby. See Upgrade or maintain warm standby instances in Administer Splunk Phantom.
- Run the upgrade script. You will be prompted during this script for your Splunk Phantom Community portal login.
For example, as the root user:However, if you want to upgrade your installed apps during an online upgrade, run this command as the root user:/opt/phantom/bin/phantom_setup.sh upgrade --without-apps
The the phantom_setup.sh script is only included when the phantom_repo RPM package is installed./opt/phantom/bin/phantom_setup.sh upgrade
Because upgraded apps may require changes to their asset configuration, apps should be individually evaluated and upgraded using Main Menu > Apps, then clicking the APP UPDATES button.
- If the upgrade script produced the following message: Then run the command:
To improve database performance, after completing the upgrade, run: su - postgres -c '/usr/pgsql-11/bin/vacuumdb -h /tmp --all --analyze-in-stages'
su - postgres -c '/usr/pgsql-11/bin/vacuumdb -h /tmp --all --analyze-in-stages'
- After the upgrade is complete, from Main Menu > Administration > Administration Settings > Search Settings, select Playbook from the drop-down menu, then click the Reindex Search Data button.
Convert a privileged deployment to an unprivileged deployment | Upgrade a single Splunk Phantom instance on a system with limited internet access |
This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7
Feedback submitted, thanks!