Splunk® SOAR (On-premises)

Install and Upgrade Splunk SOAR (On-premises)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

upgrade overview and prerequisites

From release 5.3.5 it is possible to upgrade by skipping directly to later releases.

  • Privileged deployments convert your privileged deployment to unprivileged, then immediately upgrade to Splunk SOAR (On-premises) release 6.1.1.
  • Unprivileged deployments can upgrade directly to Splunk SOAR (On-premises) release 6.1.1.

The current upgrade path can go as follows:

  • 4.6.latest version to 4.8.any version
  • 4.8.latest version to 4.9.any version
  • 4.9.latest version to 4.10.any version
  • 4.10.any version to 4.10.any later version. You cannot go backwards.
  • 4.10.7
    • Privileged deployments upgrade to directly to Splunk SOAR (On-premises) release 5.3.6, convert to unprivileged, then immediately upgrade to Splunk SOAR (On-premises) release 6.1.1.
    • Unprivileged deployments upgrade directly to Splunk SOAR (On-premises) release 6.1.1
  • 5.0.1 through 5.3.4
    • Privileged deployments upgrade to directly to Splunk SOAR (On-premises) release 5.3.6, convert to unprivileged, then immediately upgrade to Splunk SOAR (On-premises) release 6.1.1.
    • Unprivileged deployments upgrade directly to Splunk SOAR (On-premises) release 6.1.1
  • 5.3.5
    • Privileged deployments convert to unprivileged, then immediately upgrade to Splunk SOAR (On-premises) release 6.1.1.
    • Unprivileged deployments upgrade directly to Splunk SOAR (On-premises) release 6.1.1


See the following table for latest build numbers.

Starting Splunk Phantom or release Build number Upgrade to version Build number
Splunk Phantom 4.6 4.6.19142 Splunk Phantom 4.8 patch 1 4.8.24304
Splunk Phantom 4.8 patch 1 4.8.24304 Splunk Phantom 4.9 Release 5 4.9.39220
Splunk Phantom 4.9 Release 5 4.9.39220 Splunk Phantom 4.10.7 4.10.7.63984
Splunk Phantom 4.10.7 4.10.7.63984 Privileged Splunk SOAR (On-premises) 5.3.6
See

Unprivileged Splunk SOAR (On-premises) 6.1.1
See

5.3.6.136158

6.1.1.211

Splunk SOAR (On-premises) 5.0.1 5.0.1.66250 Privileged Splunk SOAR (On-premises) 5.3.6
See

Unprivileged Splunk SOAR (On-premises) 6.1.1
See

5.3.6.136158

6.1.1.211

Splunk SOAR (On-premises) 5.1.0 5.1.0.70187 Privileged Splunk SOAR (On-premises) 5.3.6
See

Unprivileged Splunk SOAR (On-premises) 6.1.1
See

5.3.6.136158

6.1.1.211

Splunk SOAR (On-premises) 5.2.1 5.2.1.78411 Privileged Splunk SOAR (On-premises) 5.3.6
See

Unprivileged Splunk SOAR (On-premises) 6.1.1
See

5.3.6.136158

6.1.1.211

Splunk SOAR (On-premises) 5.3.1 5.3.1.84890 Privileged Splunk SOAR (On-premises) 5.3.6
See

Unprivileged Splunk SOAR (On-premises) 6.1.1
See

5.3.6.136158

6.1.1.211

Splunk SOAR (On-premises) 5.3.2 5.3.2.88192 Privileged Splunk SOAR (On-premises) 5.3.6
See

Unprivileged Splunk SOAR (On-premises) 6.1.1
See

5.3.6.136158

6.1.1.211

Splunk SOAR (On-premises) 5.3.3 5.3.3.92213 Privileged Splunk SOAR (On-premises) 5.3.6
See

Unprivileged Splunk SOAR (On-premises) 6.1.1
See

5.3.6.136158

6.1.1.211

Splunk SOAR (On-premises) 5.3.4 5.3.4.95226 Privileged Splunk SOAR (On-premises) 5.3.6
See

Unprivileged Splunk SOAR (On-premises) 6.1.1
See

5.3.6.136158

6.1.1.211

Splunk SOAR (On-premises) 5.3.5 5.3.5.97812 Convert to unprivileged, then immediately upgrade to Splunk SOAR (On-premises) 6.1.1
See

Unprivileged Splunk SOAR (On-premises) 6.1.1
See

6.1.1.211

Upgrade checklist

Follow these steps to prepare for and upgrade :

Step Tasks Description
1 Make a full backup of your deployment Make a full backup of your deployment before upgrading. See Backup or restore your instance in Administer .

For single instance deployments running as a virtual machine, you can create a snapshot of the virtual machine instead.

2 Do the prerequisites See Prerequisites for upgrading .
  1. Obtain logins
  2. Make sure the instance or cluster nodes have enough available space.
  3. If needed, add a local yum repository or create a satellite server for yum updates.
3 Upgrade See Upgrade
4 Repair indicator hashes for non-federal information processing standards (FIPS) If you are upgrading a non-FIPS instance, you must run the following script after running the installation script: repair_520_indicators.sh. That script is located in <PHANTOM_HOME>/bin/. You may optionally pass the batch size as an argument: repair_520_indicators.sh <batch_size>. The default batch size is 1000. You can restart the script at any time. The script terminates after execution.
  • In clustered configurations, run this script on any single node.
  • In configurations using warm standby, run this script only on the primary system.
5 Conditional Rerun the setup command for ibackup See Prepare for a backup in Administer .

After all the preparation stages are complete, you can upgrade your instance or cluster. For clustered deployments, after the preparation stages are complete, upgrading your cluster is done in a rolling fashion, one node at a time.

Prerequisites for upgrading Splunk SOAR (On-premises)

You need the following information before beginning your upgrade:

  • Logins
    • For privileged deployments, user accounts on the operating system for your instance or cluster nodes with sudo or root access on those systems.
    • For unprivileged deployments, you also need the login credentials for the user account that runs . For new AMI versions of , the user account is phantom.
    • Your Splunk Phantom Community portal login.
  • If your deployment has restricted internet access, you will need a local yum repository or a satellite server from which to get yum packages.
  • A minimum of 5GB of space available in the /tmp directory on the instance or cluster node.
  • Make note of the directory where is installed.
    • On a privileged deployment - /opt/phantom
    • On an unprivileged AMI deployment - /opt/phantom, also called <$PHANTOM_HOME>.
    • On an unprivileged deployment - the home directory of the user account that will run , also called <$PHANTOM_HOME>.

For deployments with restricted internet access, add local yum repositories for upgrade

If your deployment has no access or restricted access to the internet, you must either create a satellite server or local YUM repository for operating system packages and other dependencies. See the Red Hat Knowledgebase article How can we regularly update a disconnected system (A system without internet connection)?

The required upgrade repositories are as follows:

OS version CentOS RHEL
7 [base]

[updates]

[rhel-7-server-rpms]

[rhel-server-rhscl-7-rpms]
[rhel-7-server-optional-rpms]

Prepare your Splunk SOAR (On-premises) deployment for upgrade

Before you upgrade , you will need to prepare your instance or your cluster nodes by updating the operating system, installed packages, and adding the repositories and their signing keys.

Migrate a privileged deployment to an unprivileged deployment

The AMI and OVA versions of are unprivileged. New AMI and OVA installations run as the user account phantom rather than as root.

Update the operating system and installed packages

Follow these steps to update the operating system and otherwise prepare your deployment for the upgrade.

For a clustered deployment, prepare cluster nodes in a rolling fashion, one cluster node at a time.

  1. Log in to the instance's operating system:
    1. For privileged deployments, log in as the root user or a user with sudo privileges.
    2. For unprivileged deployments, log in as the user account that runs .
  2. If you use a warm standby or use ibackup.pyc for backups, you must disable those features before proceeding. If you are not using either of those features, you may skip these sub-steps.
    1. On a single instance deployment of , disable warm standby. See Upgrade or maintain warm standby instances in Administer .
    2. If you are using automation to run ibackup.pyc to make backups, cancel backups that could run during your upgrade window. For example, if you have configured a cron job to run ibackup.pyc, disable that cron job.
  1. Stop all services. For example, as the root user:
    /<$PHANTOM_HOME>/bin/stop_phantom.sh
  2. Clear the YUM caches. As the root user:
    yum clean all
  3. Update the installed software packages and apply operating system patches. As the root user:
    yum update
    Systems which cannot access YUM repositories over the internet need a satellite server. See For deployments with restricted internet access, add local yum repositories for upgrade.

    If you are using the EPEL repository some packages may be upgraded to a version higher than supported by Splunk SOAR (On-premises). In this case, you want to use the Official Offline RPMs instead of using YUM to get the required versions of package dependencies for Splunk SOAR (On-premises). See For Splunk Phantom deployments without internet access or unprivileged deployments for instructions.

  4. Restart the operating system. As the root user:
    reboot
  5. After the system restarts, log in to the operating system as either the root user or a user with sudo privileges.
  6. The install script requires the ability to create jobs in cron. See System requirements for production use. Check that the cron daemon is running.
    ps -ef | grep crond
    1. If the cron daemon is not running, start it.
      systemctl start crond.service

Upgrade Splunk SOAR (On-premises)

When you are ready to upgrade , follow one of these sets of instructions, based on your deployment type:

Last modified on 29 September, 2023
Set up Splunk Enterprise   Convert a privileged deployment to an unprivileged deployment

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.3.5


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters