Splunk® SOAR (On-premises)

Install and Upgrade Splunk SOAR (On-premises)

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of SOARonprem. Click here for the latest version.
Acrobat logo Download topic as PDF

upgrade overview and prerequisites

requires incremental upgrades from earlier versions. This means, for example, that you need to upgrade from the latest version of 5.0.x to the latest version of 5.1.x to the latest version of 5.2.x to the latest version of 5.3.x.

The current upgrade path is as follows:

  • 4.6.latest version to 4.8.any version
  • 4.8.latest version to 4.9.any version
  • 4.9.latest version to 4.10.any version
  • 4.10.any version to 4.10.any later version (no going backward)
  • 4.10.latest version (4.10.7) to 5.0.1
  • 5.0.1 to 5.1.0
  • 5.1.0 to 5.2.1
  • 5.2.1 to 5.3.1

Python 3.9 impact on apps: You must upgrade apps to be compatible with with Python 3.9. If you don't, those apps might not run in the Python 3.9 environment.

Refer to the following table for latest build numbers:

Starting Splunk Phantom or release Build number Upgrade to version Build number
Splunk Phantom 4.6 4.6.19142 Splunk Phantom 4.8 patch 1 4.8.24304
Splunk Phantom 4.8 patch 1 4.8.24304 Splunk Phantom 4.9 Release 5 4.9.39220
Splunk Phantom 4.9 Release 5 4.9.39220 Splunk Phantom 4.10.7
Splunk Phantom 4.10.7 5.0.1
5.0.1 5.1.0
5.1.0 5.2.1
5.2.1 5.3.1

Do not skip any required versions when upgrading. For example, to upgrade from Splunk SOAR (On-premises) version 5.1.0, you must upgrade to Splunk SOAR (On-premises) 5.2.1 first, before upgrading to Splunk SOAR (On-premises) 5.3.1.

Upgrade checklist

Follow these steps to prepare for and upgrade :

Step Tasks Description
1 Make a full backup of your deployment Make a full backup of your deployment before upgrading. See Backup or restore your instance in Administer .

For single instance deployments running as a virtual machine, you can create a snapshot of the virtual machine instead.

2 Do the prerequisites See Prerequisites for upgrading .
  1. Obtain logins
  2. Make sure the instance or cluster nodes have enough available space.
  3. If needed, add a local yum repository or create a satellite server for yum updates.
3 Upgrade See Upgrade
4 Repair indicator hashes for non-federal information processing standards (FIPS) If you are upgrading a non-FIPS instance, you must run the following script after running the installation script: repair_520_indicators.sh. That script is located in the home directory you specified in the --phantom-home argument. You may optionally pass the batch size as an argument: repair_520_indicators.sh <batch_size>. The default batch size is 1000. You can restart the script at any time. The script terminates after execution.
  • In clustered configurations, run this script on any single node.
  • In configurations using warm standby, run this script only on the primary system.
5 Conditional Rerun the setup command for ibackup See Prepare for a backup in Administer .

After all the preparation stages are complete, you can upgrade your instance or cluster. For clustered deployments, after the preparation stages are complete, upgrading your cluster is done in a rolling fashion, one node at a time.

Prerequisites for upgrading

You need the following information before beginning your upgrade:

  • Logins
    • For privileged deployments, user accounts on the operating system for your instance or cluster nodes with sudo or root access on those systems.
    • For unprivileged deployments, you also need the login credentials for the user account that runs . For new AMI versions of , the user account is phantom.
    • Your Splunk Phantom Community portal login.
  • If your deployment has restricted internet access, you will need a local yum repository or a satellite server from which to get yum packages.
  • A minimum of 5GB of space available in the /tmp directory on the instance or cluster node.

For deployments with restricted internet access, add local yum repositories for upgrade

If your deployment has no access or restricted access to the internet, you must either create a satellite server or local YUM repository for operating system packages and other dependencies. See the Red Hat Knowledgebase article How can we regularly update a disconnected system (A system without internet connection)?

The required upgrade repositories are as follows:

OS version CentOS RHEL
7 [base]





When you are ready to upgrade , follow one of these sets of instructions, based on your deployment type:

Last modified on 06 June, 2022
Set up Splunk Enterprise
Convert a privileged deployment to an unprivileged deployment

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.3.1

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters