Skip to main content
Splunk® SOAR (On-premises)

Install and Upgrade Splunk SOAR (On-premises)

Splunk® SOAR (On-premises)
6.2.1
As of version 6.4.0, the visual editor for classic playbooks is no longer part of Splunk SOAR. Before upgrading, convert your classic playbooks to modern mode. Your classic playbooks will continue to run and you can view and edit them in the SOAR Python code editor.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

About Splunk SOAR (On-premises) clusters

Splunk SOAR (On-premises) supports clustering.

A cluster consists of a minimum of three instances of Splunk SOAR (On-premises) and its supporting external services; file shares, a PostgreSQL database or database cluster, and at least one load balancer, such as HAProxy.

Splunk SOAR (On-premises) clustering uses additional technologies to support the cluster:

  • GlusterFS for file shares. Other file systems, such as NFS can be used instead of GlusterFS.
  • Consul to provide action locking as needed.
  • RabbitMQ to provide a fast, reliable messaging bus.
  • HAProxy as a load balancer. Alternate load balancers can be used instead of HAProxy.

In a cluster, both the PostgreSQL database and the deployment of Splunk Enterprise are externalized from the Splunk SOAR (On-premises) instances. This allows you to scale your database and Splunk Enterprise deployments separately from the Splunk SOAR (On-premises) nodes.

Splunk SOAR (On-premises) clusters add a level of system redundancy and scaling to your deployment. However, SOAR does not have the ability to automatically scale, or automatically add or remove cluster nodes through external systems such as Kubernetes, AWS, or Azure.

Before creating a cluster, work with your Splunk SOAR (On-premises) delivery team representative to assess your needs and design your cluster.

Why build a Splunk SOAR (On-premises) Cluster?

Clustering addresses several important needs:

  • Clustering adds horizontal scaling for Splunk SOAR (On-premises) workloads, allowing for increased capacity.
  • Clustering adds redundancy for the Splunk SOAR (On-premises) platform. One or more cluster nodes can fail and you still have a functioning deployment of Splunk SOAR (On-premises).
  • Clustering removes system downtime for upgrades or maintenance. You can upgrade individual Splunk SOAR (On-premises) cluster nodes without taking the entire deployment offline.

Building a Splunk SOAR (On-premises) cluster

Clusters are built from unprivileged installations, where required services are provided by servers external to Splunk SOAR (On-premises). Each Splunk SOAR (On-premises) node is converted from a TAR file installation using the make_cluster_node.pyc script. See Create a Splunk SOAR (On-premises) cluster using an unprivileged installation.

Last modified on 28 November, 2023
Log in to the Splunk SOAR (On-premises) web interface   Create a Splunk SOAR (On-premises) cluster using an unprivileged installation

This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.2.0, 6.2.1

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters