Splunk® Phantom

Install and Upgrade Splunk Phantom

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of Phantom. Click here for the latest version.
Acrobat logo Download topic as PDF

Upgrade Splunk Phantom on a system with limited internet access

Some deployments of Splunk Phantom have deliberately limited access to the internet, making it difficult to upgrade using RPM packages. TAR file distributions of Phantom are available to upgrade these offline deployments.

To upgrade an offline Phantom deployment:

  1. Get the upgrade TAR file.
  2. Update the operating system and dependencies.
  3. Upgrade Splunk Phantom from the tar file.
  4. Validate the upgrade by logging in to the Splunk Phantom web interface.
  5. From Main Menu > Administration > Administration Settings > Search Settings, select "playbooks from the drop-down menu, then click the Reindex Search Data button.

Get the upgrade TAR file

Contact Splunk Phantom Support to get access to the offline installer tar file. Once access has been granted, you can download the file from the Splunk Phantom community website.

Offline upgrade TAR files are available for these operating systems:

  • Red Hat Enterprise Linux 6.10, 7.6
  • CentOS 6.10, 7.6

Update the operating system and dependencies

Do these tasks with root permissions, either by logging in as root or as a user with sudo permission.

On Red Hat Enterprise Linux, you must either create a satellite server or local YUM repository for operating system packages and other dependencies. See the Red Hat Knowledgebase article How can we regularly update a disconnected system (A system without internet connection)?

  1. Delete the file /tmp/phantomOvaUpgrade.
    rm -f /tmp/phantomOvaUpgrade
  2. Clear YUM's caches.
    yum clean all
  3. Update the operating system and all installed packages.
    yum update
  4. Restart the operating system.
    shutdown -r now

Additional repositories

You may need additional repositories to satisfy dependencies.

The upgrade repositories are:

OS version CentOS RHEL
6 [base]



[rhel-6-server-optional-rpms] *

7 [base]



[rhel-7-server-optional-rpms] *

* These repositories are only needed if your deployment is using the version of PostgreSQL distributed by Red Hat. The version of PostgreSQL bundled with Splunk Phantom is the version distributed by the PostgreSQL Global Development Group (PGDG).

Upgrade Splunk Phantom from the tar file

  1. Make a directory for the tar file.
    mkdir /usr/local/src/upgrade-<version>
  2. Change to the created directory.
    cd /usr/local/src/upgrade-<version>
  3. Download or copy the tar file to the directory.
  4. Extract the tar file.
    tar -xvzf phantom_offline_setup_<OS>-<version>.tgz
  5. Change to the directory phantom_offline_setup:
    cd phantom_offline_setup_<OS>-<version>.tgz
  6. Run the installation script.
    ./phantom_offline_setup_<OS>.sh upgrade
    To upgrade without apps, add --without-apps to the command:
    ./phantom_offline_setup_<OS>.sh upgrade --without-apps
  7. After the upgrade is complete, from Main Menu > Administration > Administration Settings > Search Settings, select Playbooks from the drop-down menu, then click the Reindex Search Data button.
Last modified on 20 July, 2020
Upgrade a standalone Splunk Phantom instance
Upgrade an unprivileged standalone Splunk Phantom instance

This documentation applies to the following versions of Splunk® Phantom: 4.8

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters