Splunk® SOAR (On-premises)

Install and Upgrade Splunk SOAR (On-premises)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

Prepare your Splunk SOAR (On-premises) deployment for upgrade

Before you upgrade , you will need to prepare your instance or your cluster nodes by updating the operating system and any installed installed packages.

The installation TAR file used for upgrades contains all the required dependencies for .

Update the operating system and installed packages

Follow these steps to update the operating system and otherwise prepare your deployment for the upgrade.

For a clustered deployment, prepare cluster nodes in a rolling fashion, one cluster node at a time.

  1. Log in to the instance's operating system.
    1. For unprivileged deployments, log in as the user account that runs .
  2. If you use a warm standby or use ibackup.pyc for backups, you must disable those features before proceeding. If you are not using either of those features, you may skip these sub-steps.
    1. On a single instance deployment of , disable warm standby. See Upgrade or maintain warm standby instances in Administer .
    2. If you are using automation to run ibackup.pyc to make backups, cancel backups that could run during your upgrade window. For example, if you have configured a cron job to run ibackup.pyc, disable that cron job.
  3. Stop all services. For example:
    /<$PHANTOM_HOME>/bin/stop_phantom.sh
  4. Clear the YUM caches. As the root user:
    yum clean all
  5. Update the installed software packages and apply operating system patches. As the root user:
    yum update
  6. Restart the operating system. As the root user:
    reboot
  7. After the system restarts, log in to the operating system as either the root user or a user with sudo privileges.
  8. The install script requires the ability to create jobs in cron. See System requirements for production use. Check that the cron daemon is running.
    ps -ef | grep crond
    1. If the cron daemon is not running, start it.
      systemctl start crond.service
  9. With a text editor, update install_common.py.
    On or around line 208, modify the GLUSTER_RPM_SOURCE_BASE_URL_EL8 declaration. Change the word "mirror" in the URL to the word "vault."
    GLUSTER_RPM_SOURCE_BASE_URL_EL8 = ("https://vault.centos.org/centos/8-stream/storage/x86_64/gluster-9/Packages/")

The mirror for GlusterFS packages has moved, changing the URL Splunk SOAR (On-premises) uses download those packages. You will need to update the file install_common.py before you can build or upgrade a clustered deployment, or use a GlusterFS external fileshare.

Run the soar-prepare-system script

To finish preparing to upgrade , run the soar-prepare-system script. This script will check for and install any missing dependencies and check to make sure that all required system-level options are properly set.

sudo ./soar-prepare-system

You can supply any of the optional arguments for the script listed in soar-prepare-system.sh in the Reference section of this manual.

Upgrade Splunk SOAR (On-premises)

When you are ready to upgrade , follow one of these sets of instructions, based on your deployment type:

Last modified on 16 August, 2024
Upgrade path for Splunk SOAR (On-premises) unprivileged installations   Convert a privileged Splunk SOAR (On-premises) deployment to an unprivileged deployment

This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.1.1, 6.2.0, 6.2.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters