For details, see:
Upgrade a single Splunk SOAR (On-premises) instance on a system with limited internet access
It is now possible to upgrade directly to later releases of Splunk SOAR (On-premises).
Privileged deployments upgrade directly to Splunk SOAR (On-premises) release 5.3.6, convert to unprivileged, then immediately upgrade to Splunk SOAR (On-premises) release 6.1.1.
Unprivileged deployments upgrade directly to Splunk SOAR (On-premises) release 6.1.1
See Splunk SOAR (On-premises) upgrade overview and prerequisites for more information.
Some deployments of Splunk SOAR (On-premises) have deliberately limited access to the internet, making it difficult to upgrade using RPM packages. TAR file distributions of Splunk SOAR (On-premises) are available to upgrade these offline deployments.
To upgrade an offline Splunk SOAR (On-premises) deployment:
- Get the upgrade TAR file. See Splunk SOAR (On-premises) repositories and signing keys packages.
- Update the operating system and dependencies. See Prepare your Splunk SOAR (On-premises) deployment for upgrade.
- Upgrade Splunk SOAR (On-premises) from the tar file.
Upgrade Splunk SOAR (On-premises) from the tar file
- Make sure you have read and done the steps from Splunk SOAR (On-premises) upgrade overview and prerequisites.
- Log in to the Splunk SOAR (On-premises) instance's operating system as either the root user or a user with sudo privileges.
- Make a directory for the tar file.mkdir /usr/local/src/upgrade-<version>
- Change to the directory you just created.cd /usr/local/src/upgrade-<version>
- Download or copy the tar file to the directory.
- Extract the TAR file.tar -xvzf phantom_offline_setup_<OS>-<version>.tgz
- Change to the directory phantom_offline_setup, which was created by extracting the TAR file:cd phantom_offline_setup_<OS>-<version>
- Run the installation script with the
nohup
command. Usingnohup
helps you avoid issues in case the SSH session times out, such as upgrade failure or system wipe and rebuild.nohup phantom_offline_setup_<OS>.sh upgrade --no-prompt --without-apps > soar_upgrade_1.out 2> soar_upgrade_2.out 3> soar_upgrade_3.out &To upgrade all the installed apps during the platform upgrade:nohup phantom_offline_setup_<OS>.sh --no-prompt upgrade> soar_upgrade_1.out 2> soar_upgrade_2.out 3> soar_upgrade_3.out &Output from the command is redirected to the files soar_upgrade_1.out, soar_upgrade_2.out, and soar_upgrade_3.out.Because upgraded apps may require changes to their asset configuration, apps should be individually evaluated and upgraded using Main Menu > Apps, then clicking the APP UPDATES button.
- If the upgrade script produced the following message:Then run the command:
To improve database performance, after completing the upgrade, run: su - postgres -c '/usr/pgsql-11/bin/vacuumdb -h /tmp --all --analyze-in-stages'
su - postgres -c '/usr/pgsql-11/bin/vacuumdb -h /tmp --all --analyze-in-stages'
- Validate the upgrade by logging in to the Splunk SOAR (On-premises) web interface.
- Once your deployment has been upgraded, reindex playbook data. From Main Menu > Administration > Administration Settings > Search Settings, select "playbooks from the drop-down menu, then click the Reindex Search Data button.
Upgrade a single Splunk SOAR (On-premises) instance | Upgrade a single unprivileged Splunk SOAR (On-premises) instance |
This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.1.0, 5.2.1
Feedback submitted, thanks!