After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
Download topic as PDF
upgrade overview and prerequisites
From release 5.3.1 it is possible to upgrade by skipping directly to later releases.
- Privileged deployments upgrade directly to Splunk SOAR (On-premises) release 5.3.6, convert your privileged deployment to unprivileged, then finally upgrade to Splunk SOAR (On-premises) release 6.1.1.
- Unprivileged deployments can upgrade directly to Splunk SOAR (On-premises) release 6.1.1.
The current upgrade path can go as follows:
- 4.6.latest version -> 4.8.any version
- 4.8.latest version -> 4.9.any version
- 4.9.latest version -> 4.10.any version
- 4.10.any version -> 4.10.any later version. You cannot go backwards.
- 4.10.7
- Privileged deployments upgrade to directly to Splunk SOAR (On-premises) release 5.3.6, convert to unprivileged, then immediately upgrade to Splunk SOAR (On-premises) release 6.1.1.
- Unprivileged deployments upgrade directly to Splunk SOAR (On-premises) release 6.1.1
- 5.0.1 through 5.3.1
- Privileged deployments upgrade to directly to Splunk SOAR (On-premises) release 5.3.6, convert to unprivileged, then immediately upgrade to Splunk SOAR (On-premises) release 6.1.1.
- Unprivileged deployments upgrade directly to Splunk SOAR (On-premises) release 6.1.1
Python 3.9 impact on apps: You must upgrade apps to be compatible with with Python 3.9. If you don't, those apps might not run in the Python 3.9 environment.
See the following table for latest build numbers.
| Starting Splunk Phantom or release | Build number | Upgrade to version | Build number |
|---|---|---|---|
| Splunk Phantom 4.6 | 4.6.19142 | Splunk Phantom 4.8 patch 1 | 4.8.24304 |
| Splunk Phantom 4.8 patch 1 | 4.8.24304 | Splunk Phantom 4.9 Release 5 | 4.9.39220 |
| Splunk Phantom 4.9 Release 5 | 4.9.39220 | Splunk Phantom 4.10.7 | 4.10.7.63984 |
| Splunk Phantom 4.10.7 | 4.10.7.63984 | Privileged Splunk SOAR (On-premises) 5.3.6 See
Unprivileged Splunk SOAR (On-premises) 6.1.1 |
5.3.6.136158
6.1.1.211 |
| Splunk SOAR (On-premises) 5.0.1 | 5.0.1.66250 | Privileged Splunk SOAR (On-premises) 5.3.6 See
Unprivileged Splunk SOAR (On-premises) 6.1.1 |
5.3.6.136158
6.1.1.211 |
| Splunk SOAR (On-premises) 5.1.0 | 5.1.0.70187 | Privileged Splunk SOAR (On-premises) 5.3.6 See
Unprivileged Splunk SOAR (On-premises) 6.1.1 |
5.3.6.136158
6.1.1.211 |
| Splunk SOAR (On-premises) 5.2.1 | 5.2.1.78411 | Privileged Splunk SOAR (On-premises) 5.3.6 See
Unprivileged Splunk SOAR (On-premises) 6.1.1 |
5.3.6.136158
6.1.1.211 |
| Splunk SOAR (On-premises) 5.3.1 | 5.3.1.84890 | Privileged Splunk SOAR (On-premises) 5.3.6 See
Unprivileged Splunk SOAR (On-premises) 6.1.1 |
5.3.6.136158
6.1.1.211 |
Upgrade checklist
Follow these steps to prepare for and upgrade :
| Step | Tasks | Description |
|---|---|---|
| 1 | Make a full backup of your deployment | Make a full backup of your deployment before upgrading. See Backup or restore your instance in Administer .
For single instance deployments running as a virtual machine, you can create a snapshot of the virtual machine instead. |
| 2 | Do the prerequisites | See Prerequisites for upgrading .
|
| 3 | Upgrade | See Upgrade |
| 4 | Repair indicator hashes for non-federal information processing standards (FIPS) | If you are upgrading a non-FIPS instance, you must run the following script after running the installation script: repair_520_indicators.sh. That script is located in <$PHANTOM_HOME>/bin/. You may optionally pass the batch size as an argument: repair_520_indicators.sh <batch_size>. The default batch size is 1000. You can restart the script at any time. The script terminates after execution.
|
| 5 | Conditional Rerun the setup command for ibackup | See Prepare for a backup in Administer . |
After all the preparation stages are complete, you can upgrade your instance or cluster. For clustered deployments, after the preparation stages are complete, upgrading your cluster is done in a rolling fashion, one node at a time.
Prerequisites for upgrading Splunk SOAR (On-premises)
You need the following information before beginning your upgrade:
- Logins
- For privileged deployments, user accounts on the operating system for your instance or cluster nodes with sudo or root access on those systems.
- For unprivileged deployments, you also need the login credentials for the user account that runs . For new AMI versions of , the user account is phantom.
- Your Splunk Phantom Community portal login.
- If your deployment has restricted internet access, you will need a local yum repository or a satellite server from which to get yum packages.
- A minimum of 5GB of space available in the
/tmpdirectory on the instance or cluster node. - Make note of the directory where is installed.
- On a privileged deployment - /opt/phantom
- On an unprivileged AMI deployment - /opt/phantom, also called <$PHANTOM_HOME>.
- On an unprivileged deployment - the home directory of the user account that will run , also called <$PHANTOM_HOME>.
For deployments with restricted internet access, add local yum repositories for upgrade
If your deployment has no access or restricted access to the internet, you must either create a satellite server or local YUM repository for operating system packages and other dependencies. See the Red Hat Knowledgebase article How can we regularly update a disconnected system (A system without internet connection)?
The required upgrade repositories are as follows:
| OS version | CentOS | RHEL |
|---|---|---|
| 7 | [base]
[updates] |
[rhel-7-server-rpms]
[rhel-server-rhscl-7-rpms] |
Upgrade Splunk SOAR (On-premises)
When you are ready to upgrade , follow one of these sets of instructions, based on your deployment type:
|
PREVIOUS Set up Splunk Enterprise |
NEXT Convert a privileged deployment to an unprivileged deployment |
This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.3.1
Feedback submitted, thanks!