Upgrade a single Splunk Phantom instance
Follow these steps to upgrade your Splunk Phantom instance.
If your Splunk Phantom deployment is not a cluster, and uses an external PostgresSQL database and/or an external GlusterFS file share you will need to upgrade the external services before upgrading Splunk Phantom itself.
- Make sure you have read and done the steps from Splunk Phantom upgrade overview and prerequisites.
- Log in to the Splunk Phantom instance's operating system as either the root user or a user with sudo privileges.
- If you use a warm standby or use ibackup.pyc for backups, you must disable those features before proceeding. If you are not using either of those features, you may skip these sub-steps.
- Disable warm standby. See Upgrade or maintain warm standby instances in Administer Splunk Phantom.
If you have already disabled warm standby, cancelled backups, and set
archive_mode
to "off", skip these steps. - If you are using automation to run ibackup.pyc to make backups, cancel backups that could run during your upgrade window. For example, if you have configured a cron job to run ibackup.pyc, disable that cron job.
- Disable WAL archiving for the PostgreSQL database. Set the
archive_mode
to "off" in the file/opt/phantom/data/db/postgresql.phantom.conf
.sed -i -e 's/archive_mode = on/archive_mode = off/i' /opt/phantom/data/db/postgresql.phantom.conf
- Restart PostgreSQL to make the configuration change take effect. If you are upgrading a system that is running PostgreSQL version 9.4: If you are upgrading a system that is running PostgreSQL version 11:
/<PHANTOM_HOME>/bin/phsvc restart postgresql-9.4
/<PHANTOM_HOME>/bin/phsvc restart postgresql-11
- Disable warm standby. See Upgrade or maintain warm standby instances in Administer Splunk Phantom.
- If your Splunk Phantom instance uses an external PostgreSQL database or GlusterFS-based fileshare, those need to be upgraded before Splunk Phantom:
- Stop all Splunk Phantom services. For example, as the root user:
/opt/phantom/bin/stop_phantom.sh
- If your Splunk Phantom instance uses an external PostgreSQL database, upgrade PostgreSQL. See Upgrade PostgreSQL for Splunk Phantom deployments with external databases.
- If your Splunk Phantom deployment uses an external GlusterFS-based file share, upgrade GlusterFS. See Upgrade GlusterFS for Splunk Phantom deployments with GlusterFS fileshares.
- After the PostgreSQL and GlusterFS upgrades are complete, start all Splunk Phantom services. For example, as the root user:
/opt/phantom/bin/start_phantom.sh
- Stop all Splunk Phantom services. For example, as the root user:
- Run the upgrade script. You will be prompted during this script for your Splunk Phantom Community portal login. For example, as the root user: If you don't want to upgrade your installed apps during the upgrade, you can use the
/opt/phantom/bin/phantom_setup.sh upgrade
--without-apps
option./opt/phantom/bin/phantom_setup.sh upgrade --without-apps
You will be prompted during this script for your Splunk Phantom Community portal login.
- If the upgrade script produced the following message: Then run the command:
To improve database performance, after completing the upgrade, run: su - postgres -c '/usr/pgsql-11/bin/vacuumdb -h /tmp --all --analyze-in-stages'
su - postgres -c '/usr/pgsql-11/bin/vacuumdb -h /tmp --all --analyze-in-stages'
- After the upgrade is complete, from Main Menu > Administration > Administration Settings > Search Settings, select Playbook from the drop-down menu, then click the Reindex Search Data button.
Upgrade GlusterFS for Splunk Phantom deployments with Glusterfs fileshares | Upgrade a single Splunk Phantom instance on a system with limited internet access |
This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.9
Feedback submitted, thanks!