Splunk® SOAR (On-premises)

Install and Upgrade Splunk SOAR (On-premises)

As of version 6.4.0, the visual editor for classic playbooks is no longer part of Splunk SOAR. Before upgrading, convert your classic playbooks to modern mode. Your classic playbooks will continue to run and you can view and edit them in the SOAR Python code editor.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

Upgrade a single instance on a system with limited internet access

It is now possible to upgrade directly to later releases of Splunk SOAR (On-premises).

Privileged deployments upgrade directly to Splunk SOAR (On-premises) release 5.3.6, convert to unprivileged, then immediately upgrade to Splunk SOAR (On-premises) release 6.1.1.

Unprivileged deployments upgrade directly to Splunk SOAR (On-premises) release 6.1.1

See Splunk SOAR (On-premises) upgrade overview and prerequisites for more information.

Some deployments of have deliberately limited access to the internet, making it difficult to upgrade using RPM packages. TAR file distributions of are available to upgrade these offline deployments.

To upgrade an offline deployment:

  1. Get the upgrade TAR file. See repositories and signing keys packages.
  2. Update the operating system and dependencies. See Prepare your deployment for upgrade.
  3. Upgrade from the tar file.

Upgrade from the tar file

  1. Make sure you have read and done the steps from upgrade overview and prerequisites.
  2. Log in to the instance's operating system as either the root user or a user with sudo privileges.
  3. Make a directory for the tar file.
    mkdir /usr/local/src/upgrade-<version>
  4. Change to the directory you just created.
    cd /usr/local/src/upgrade-<version>
  5. Download or copy the tar file to the directory.
  6. Extract the TAR file.
    tar -xvzf phantom_offline_setup_<OS>-<version>.tgz
  7. Change to the directory phantom_offline_setup, which was created by extracting the TAR file:
    cd phantom_offline_setup_<OS>-<version>
  8. Run the installation script with the nohup command. Using nohup helps you avoid issues in case the SSH session times out, such as upgrade failure or system wipe and rebuild.
    nohup phantom_offline_setup_<OS>.sh upgrade --no-prompt --without-apps > soar_upgrade_1.out 2> soar_upgrade_2.out 3> soar_upgrade_3.out &
    To upgrade all the installed apps during the platform upgrade:
    nohup phantom_offline_setup_<OS>.sh --no-prompt upgrade> soar_upgrade_1.out 2> soar_upgrade_2.out 3> soar_upgrade_3.out &
    Output from the command is redirected to the files soar_upgrade_1.out, soar_upgrade_2.out, and soar_upgrade_3.out.

    Because upgraded apps may require changes to their asset configuration, apps should be individually evaluated and upgraded using Main Menu > Apps, then clicking the APP UPDATES button.

  9. If the upgrade script produced the following message: 
    To improve database performance, after completing the upgrade, run: su - postgres -c '/usr/pgsql-11/bin/vacuumdb -h /tmp --all --analyze-in-stages'
    Then run the command: 
    su - postgres -c '/usr/pgsql-11/bin/vacuumdb -h /tmp --all --analyze-in-stages'
  10. Validate the upgrade by logging in to the web interface.
  11. Once your deployment has been upgraded, reindex playbook data. From Main Menu > Administration > Administration Settings > Search Settings, select "playbooks from the drop-down menu, then click the Reindex Search Data button.
Last modified on 26 September, 2023
Upgrade a single instance   Upgrade a single unprivileged instance

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.1.0, 5.2.1

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters