Splunk® Phantom (Legacy)

Install and Upgrade Splunk Phantom

This documentation does not apply to the most recent version of Splunk® Phantom (Legacy). For documentation on the most recent version, go to the latest release.

Upgrade a single unprivileged Splunk Phantom instance

Follow these steps to upgrade your unprivileged Splunk Phantom instance, or to convert and upgrade your existing, privileged Splunk Phantom instance to an unprivileged instance.

Converting a privileged Splunk Phantom instance to an unprivileged instance cannot be undone. Make sure you wish to convert before running the upgrade.

  1. Make sure you have read Splunk Phantom upgrade overview and prerequisites.
  2. Update the operating system and installed packages. See Prepare your Splunk Phantom deployment for upgrade.
  3. Log in to the Splunk Phantom instance's operating system as the user account that runs Splunk Phantom. On an unprivileged virtual machine image or AMI-based deployment, this user account is "phantom."
  4. If you use a warm standby or use ibackup.pyc for backups, you must disable those features before proceeding. If you are not using either of those features, you may skip these sub-steps.
    1. Disable warm standby. See Upgrade or maintain warm standby instances in Administer Splunk Phantom.
    2. If you are using automation to run ibackup.pyc to make backups, cancel backups that could run during your upgrade window. For example, if you have configured a cron job to run ibackup.pyc, disable that cron job.
    3. Disable WAL archiving for the PostgreSQL database. Set the archive_mode to "off" in the file <PHANTOM_HOME>/data/db/postgresql.phantom.conf.
      sed -i -e 's/archive_mode = on/archive_mode = off/i' /<PHANTOM_HOME>/data/db/postgresql.phantom.conf
    4. Restart PostgreSQL to make the configuration change take effect. For upgrading a system that is running PostgreSQL version 11:
      /<PHANTOM_HOME>/bin/phsvc restart postgresql-11
  5. As the user 'phantom', copy the installation tar file to the directory where Splunk Phantom is installed. This is the PHANTOM_HOME​ directory. On an unprivileged virtual machine image or AMI-based deployment, this directory is /opt/phantom/.
  6. As the user 'phantom', extract the installation tar file.
    tar -xvzf phantom-<version>.tgz
  7. Run the upgrade script. If you are converting a privileged instance to an unprivileged instance as part of an upgrade, skip this step.
    /<PHANTOM_HOME>/bin/phenv /<PHANTOM_HOME>/phantom_tar_install.sh upgrade --without-apps
    To upgrade all the installed apps during the platform upgrade:
    /<PHANTOM_HOME>/bin/phenv /<PHANTOM_HOME>/phantom_tar_install.sh upgrade

    Because upgraded apps may require changes to their asset configuration, apps should be individually evaluated and upgraded using Main Menu > Apps, then clicking the APP UPDATES button.

  8. (Conditional) If you are converting a privileged instance to an unprivileged instance as part of an upgrade, run the upgrade script. The conversion from privileged to unprivileged from 4.9 to 4.10.0 has to be done as root. After that conversion and upgrade are complete, then you run the 4.10.0 upgrade to 4.10.x as the 'phantom' user. See Convert a privileged deployment to an unprivileged deployment for more information.
    1. Switch to the user account that runs Splunk Phantom.
      su -u phantom 
    2. Make sure that firewalld is active and running. The migration script requires firewalld to be active so it can be configured. Check the status of firewalld.
      sudo systemctl status firewalld
      Example output from an active firewalld:
      ● firewalld.service - firewalld - dynamic firewall daemon
      Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
      Active: active (running) since Tue 2021-03-02 00:37:43 GMT; 2 months 3 days ago
    3. (Conditional) If firewalld is not active, enable it, then activate it.
      sudo systemctl enable firewalld
      sudo systemctl start firewalld
    4. Run the upgrade script.
      /<PHANTOM_HOME>/bin/phenv /<PHANTOM_HOME>/phantom_tar_install.sh upgrade
  9. (Conditional) If the upgrade script produced the following message:
    To improve database performance, after completing the upgrade, run: /<PHANTOM_HOME>/bin/phenv /<PHANTOM_HOME>/usr/postgresql/bin/vacuumdb -h /tmp --all --analyze-in-stages
    Then run the command:
    /<PHANTOM_HOME>/bin/phenv /<PHANTOM_HOME>/usr/postgresql/bin/vacuumdb -h /tmp --all --analyze-in-stages
  10. After the upgrade is complete, from Main Menu > Administration > Administration Settings > Search Settings, select Playbooks from the drop-down menu, then click the Reindex Search Data button.
Last modified on 20 September, 2021
Upgrade a single Splunk Phantom instance on a system with limited internet access   Upgrade a Splunk Phantom cluster

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.10


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters