Splunk® Phantom

Install and Upgrade Splunk Phantom

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Phantom. Click here for the latest version.
Acrobat logo Download topic as PDF

Upgrade an unprivileged standalone Splunk Phantom instance

Follow these steps to upgrade your unprivileged Splunk Phantom instance.

  1. Make sure you have read Splunk Phantom upgrade overview and prerequisites.
  2. Download the installation tar file from the Splunk Phantom Community portal. If you do not see the required file, contact Phantom support.
  3. Log in to the Splunk Phantom instance's operating system as the user account that runs Splunk Phantom. On an unprivileged virtual machine image or AMI-based deployment, this user account is "phantom."
  4. If you are using a warm standby, disable warm standby. See Upgrade or maintain warm standby instances in Administer Splunk Phantom.
  5. If you are using automation to run ibackup.pyc to make backups, cancel backups that could run during your upgrade window. For example, if you have configured a cron job to run ibackup.pyc, disable that cron job.
  6. Stop all Splunk Phantom services. For example, as the root user:
    /home/<username>/<PHANTOM_HOME>/bin/stop_phantom.sh
  7. Delete the file /tmp/phantomOvaUpgrade.
    rm -f /tmp/phantomOvaUpgrade
  8. Clear the YUM caches. For example, as the root user:
    yum clean all
  9. Update the operating system and installed packages. For example:
    yum update --exclude=nginx
  10. Restart the operating system. For example, as the root user:
    reboot
  11. After the system restarts, log in to the operating system as the user account that runs Splunk Phantom.
  12. Copy the installation tar file to the directory where Splunk Phantom was installed. This is the PHANTOM_HOME​ directory.
  13. Extract the installation tar file. For example, as the user account that runs Splunk Phantom:
    tar -xvzf phantom-<version>.tgz
  14. Run the upgrade script.
    <PHANTOM_HOME>/phantom_tar_install.sh upgrade
    If you don't want to upgrade your installed apps at during the upgrade, you can use the --without-apps option.
    <PHANTOM_HOME>/phantom_tar_install.sh upgrade --without-apps
  15. After the upgrade is complete, from Main Menu > Administration > Administration Settings > Search Settings, select Playbooks from the drop-down menu, then click the Reindex Search Data button.
Last modified on 22 April, 2021
PREVIOUS
Upgrade Splunk Phantom on a system with limited internet access
  NEXT
Upgrade a Splunk Phantom cluster

This documentation applies to the following versions of Splunk® Phantom: 4.8


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters