After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
Splunk SOAR (On-premises) upgrade overview and prerequisites
Splunk Phantom and Splunk SOAR (On-premises) releases are numbered as <major>.<minor>.<patch>.<build>.
Examples:
- Splunk Phantom 4.10.7.63984 is major version 4, minor version 10, patch version 7, build number 63984.
- Splunk SOAR (On-premises) 5.3.5.97812 major version 5, minor version 3, patch version 5, build number 97812.
- Splunk SOAR (On-premises) 6.0.0.114895 major version 6, minor version 0, patch version 0, build number 114895.
- Splunk SOAR (On-premises) 6.0.1.123902 major version 6, minor version 0, patch version 1, build number 123902.
Upgrade overview checklist
Follow these steps to prepare for and then upgrade :
Step | Tasks | Description |
---|---|---|
1 | Identify your upgrade path. | See:
You will need to plan your upgrades by identifying your currently installed Splunk Phantom or Splunk SOAR (On-premises) release, then path to your destination release. You must follow the path from your currently installed release to the desired destination release. |
2 | Make a full backup of your deployment | Make a full backup of your deployment before upgrading. See Backup or restore your instance in Administer .
For single instance deployments running as a virtual machine, you can create a snapshot of the virtual machine instead. |
3 | Do the prerequisites | See Prerequisites for upgrading .
|
4 | Prepare your system for upgrade | See Prepare your Splunk SOAR (On-premises) deployment for upgrade. |
5 | Conditional: Convert a privileged deployment to an unprivileged deployment. | see Convert a privileged Splunk SOAR (On-premises) deployment to an unprivileged deployment. |
6 | Upgrade | See Upgrade .
After all the preparation stages are complete, you can upgrade your instance or cluster. For clustered deployments, after the preparation stages are complete, upgrade your cluster in a rolling fashion, one node at a time. |
7 | Conditional: Repair indicator hashes for non-federal information processing standards (FIPS) deployments. | If you are upgrading a non-FIPS instance, you must run the following script after running the installation script: repair_520_indicators.sh . That script is located in <PHANTOM_HOME>/bin/. You may optionally pass the batch size as an argument: repair_520_indicators.sh <batch_size> . The default batch size is 1000. You can restart the script at any time. The script terminates after execution.
|
8 | Conditional: Rerun the setup command for ibackup | See Prepare for a backup in Administer . |
9 | Conditional: Reestablish warm standby. | See Warm standby feature overview. |
Important changes between releases
This table lists versions of Splunk Phantom and Splunk SOAR (On-premises) product where important changes are introduced. Some of these changes may impact your upgrade plans. Review this table carefully before planning your upgrade.
Release | Important changes |
---|---|
4.8.24304 |
|
4.9.39220 |
|
4.10.x |
|
5.0.1 |
|
5.2.1 |
|
5.3.0 |
|
5.3.3 |
|
5.3.4 |
|
5.3.5 |
|
5.3.6 |
|
5.5.0 |
|
6.0.0 |
|
6.0.1 |
|
Prerequisites for upgrading Splunk SOAR (On-premises)
You need the following information before beginning your upgrade:
- Logins
- For unprivileged deployments, you need the login credentials for the user account that runs . For new AMI versions of , the user account is phantom.
See What's new in 6.0.0 in Release Notes for important information about the change to the default administrator user account.
- Your Splunk Phantom Community portal login.
- For unprivileged deployments, you need the login credentials for the user account that runs . For new AMI versions of , the user account is phantom.
- A minimum of 5GB of space available in the
/tmp
directory on the instance or cluster node. - Make note of the directory where is installed.
- On an unprivileged AMI, or virtual machine image deployment - /opt/phantom, also called <PHANTOM_HOME>.
- On an unprivileged deployment - the home directory of the user account that will run , also called <PHANTOM_HOME>.
- Conditional: If your deployment uses the warm standby feature, turn off warm standby. See Warm standby feature overview.
- Conditional: Turn off scheduled backups. For example, if you scheduled backups with a cron job, deactivate the cron job to turn them off.
Upgrade Splunk SOAR (On-premises)
Prepare your system for upgrade by completing the prerequisites listed in Prepare your Splunk SOAR (On-premises) deployment for upgrade.
Set up Splunk Enterprise | Upgrade path for Splunk SOAR (On-premises) privileged installations |
This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.0.1
Feedback submitted, thanks!