Splunk® SOAR (On-premises)

Install and Upgrade Splunk SOAR (On-premises)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

Splunk SOAR (On-premises) upgrade overview and prerequisites

Splunk Phantom and Splunk SOAR (On-premises) releases are numbered as <major>.<minor>.<patch>.<build>.

Examples:

  • Splunk Phantom 4.10.7.63984 is major version 4, minor version 10, patch version 7, build number 63984.
  • Splunk SOAR (On-premises) 5.3.5.97812 major version 5, minor version 3, patch version 5, build number 97812.
  • Splunk SOAR (On-premises) 5.3.6.136158 major version 5, minor version 3, patch version 6, build number 136158.

Upgrade overview checklist

Follow these steps to prepare for and then upgrade :

Step Tasks Description
1 Identify your upgrade path and contact Support to request the TAR file for release 5.3.6. See:

You will need to plan your upgrades by identifying your currently installed Splunk Phantom or Splunk SOAR (On-premises) release, then path to your destination release. You must follow the path from your currently installed release to the desired destination release.

2 Make a full backup of your deployment Make a full backup of your deployment before upgrading. See Backup or restore your instance in Administer .

For single instance deployments running as a virtual machine, you can create a snapshot of the virtual machine instead.

3 Do the prerequisites See Prerequisites for upgrading .
  1. Obtain logins
  2. Make sure the instance or cluster nodes have enough available space.
  3. Conditional: Turn off warm standby. See Warm standby feature overview
  4. Conditional: Turn off scheduled backups. For example, if you scheduled backups with a cron job, deactivate the cron job to turn them off.
4 Prepare your system for upgrade See Prepare your Splunk SOAR (On-premises) deployment for upgrade.
5 Upgrade See Upgrade .

After all the preparation stages are complete, you can upgrade your instance or cluster. For clustered deployments, after the preparation stages are complete, upgrade your cluster in a rolling fashion, one node at a time.

6 Conditional: Convert a privileged deployment to an unprivileged deployment. see Convert a privileged Splunk SOAR (On-premises) deployment to an unprivileged deployment.

All privileged deployments must be converted to unprivileged deployment before you can upgrade beyond Splunk SOAR (On-premises) release 5.4.0.

7 Conditional: Repair indicator hashes for non-federal information processing standards (FIPS) deployments. If you are upgrading a non-FIPS instance, you must run the following script after running the installation script: repair_520_indicators.sh. That script is located in <$PHANTOM_HOME>/bin/. You may optionally pass the batch size as an argument: repair_520_indicators.sh <batch_size>. The default batch size is 1000. You can restart the script at any time. The script terminates after execution.
  • In clustered configurations, run this script on any single node.
  • In configurations using warm standby, run this script only on the primary system.
8 Conditional: Rerun the setup command for ibackup See Prepare for a backup in Administer .
9 Conditional: Reestablish warm standby. See Warm standby feature overview.

Important changes between releases

This table lists versions of Splunk Phantom and Splunk SOAR (On-premises) product where important changes are introduced. Some of these changes may impact your upgrade plans. Review this table carefully before planning your upgrade.

Release Important changes
4.8.24304
  • Added support for Python 3.6 for apps
4.9.39220
  • Removed support for PostgreSQL 9.6
  • Added support for PostgreSQL 11.6
4.10.x
  • Major.minor.patch.build numbering system introduced
  • End of support for RHEL and CentOS 6
  • Added support for Python 3.6 for playbooks
  • Support for TLS 1.1 ends with Splunk Phantom 4.10.5
5.0.1
  • The name of the product changed from Splunk Phantom to Splunk SOAR (On-premises)
5.2.1
  • FIPS support becomes available for new, unprivileged deployments of Splunk SOAR (On-premises) 5.2.1. Splunk SOAR (On-premises) deployments installed in FIPS-compatible mode can only be upgraded in FIPS-compatible mode.
5.3.0
  • Python upgraded from 3.6 to 3.9
  • The format for Splunk SOAR (On-premises) installation packages and scripts were overhauled in 5.3.0
  • There is no longer a separate installation package for systems with limited Internet access, the TAR file for installations contains all required dependencies.
  • Expanded support for PostgreSQL versions to 11.x
5.3.3
  • Support for Python 2 was deprecated
5.3.4
  • Support for Python 2 was removed. Playbooks and apps written in python 2 are disabled.
5.3.5
  • Support for privileged installation of Splunk SOAR (on-premises) ends. Any privileged installations must be converted to unprivileged for further upgrades. See also 5.3.6 for additional information.
5.3.6
  • 5.3.6 includes improvements to the upgrade process. You can upgrade privileged deployments of Splunk Phantom release 4.10.7 or Splunk SOAR (On-premises) releases 5.0.1 through 5.3.5 directly to release 5.3.6.
  • 5.3.6 includes improvements to the tools for migrating a privileged deployments to unprivileged.
  • Support for privileged installation of Splunk SOAR (on-premises) ends. Any privileged installations must be converted to unprivileged for further upgrades.

Prerequisites for upgrading Splunk SOAR (On-premises)

You need the following information before beginning your upgrade:

  • Logins
    • For unprivileged deployments, you need the login credentials for the user account that runs . For new AMI versions of , the user account is phantom.
    • Your Splunk Phantom Community portal login.
  • A minimum of 5GB of space available in the /tmp directory on the instance or cluster node.
  • Make note of the directory where is installed.
    • On an unprivileged AMI, or virtual machine image deployment - /opt/phantom, also called <$PHANTOM_HOME>.
    • On an unprivileged deployment - the home directory of the user account that will run , also called <$PHANTOM_HOME>.
  • Conditional: If your deployment uses the warm standby feature, turn off warm standby. See Warm standby feature overview.
  • Conditional: Turn off scheduled backups. For example, if you scheduled backups with a cron job, deactivate the cron job to turn them off.
  • Conditional: If your deployment is on CentOS or RHEL and has no access or restricted access to the internet, you must either create a satellite server or local YUM repository for operating system packages and other dependencies. See the Red Hat Knowledgebase article How can we regularly update a disconnected system (A system without internet connection)?

Upgrade Splunk SOAR (On-premises)

When you are ready to upgrade , follow one of these sets of instructions, based on your deployment type:

Last modified on 13 December, 2023
Set up Splunk Enterprise   Upgrade path for Splunk SOAR (On-premises) privileged installations

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.4.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters