Splunk® SOAR (On-premises)

Install and Upgrade Splunk SOAR (On-premises)

As of version 6.4.0, the visual editor for classic playbooks is no longer part of Splunk SOAR. Before upgrading, convert your classic playbooks to modern mode. Your classic playbooks will continue to run and you can view and edit them in the SOAR Python code editor.
For details, see:

Upgrade path for Splunk SOAR (On-premises) unprivileged installations

Unprivileged deployments of Splunk Phantom or Splunk SOAR (On-premises) have a more streamlined upgrade path than privileged deployments.

Upgrade paths:

  • Unprivileged Splunk Phantom deployments running a release earlier than release 4.10.7 must be upgraded incrementally from release to release, until Splunk Phantom release 4.10.7.
  • Unprivileged Splunk Phantom deployments running release 4.10.7 can be upgraded directly to Splunk SOAR (On-premises) release 6.2.1, then can upgrade to release 6.3.0.
  • Unprivileged Splunk SOAR (On-premises) running a release earlier than release 6.2.1 can be upgraded to Splunk SOAR (On-premises) release 6.2.1, and then to release 6.3.0.
  • Deployments running on the CentOS 7 operating system must migrate to a supported operating system before they can upgrade beyond release 6.3.0.
  • Deployments running on Amazon Linux 2 are encouraged to migrate to Amazon Linux 2023. See Migrate a Splunk SOAR (On-premises) install from Amazon Linux 2 to Amazon Linux 2023.

All deployments must upgrade to Splunk SOAR (On-premises) 6.2.1 before upgrading to higher releases in order to upgrade the PostgreSQL database. PostgreSQL databases local to the SOAR deployment are updated to PostgreSQL 15.x during the upgrade process. The PostgreSQL database for all clustered deployments, or deployments using an external database must be upgraded manually.

If your Splunk SOAR (On-premises) deployment is running on the CentOS operating system, you must migrate the deployment to a supported operating system before you can upgrade beyond release 6.3.0.

A list of important or breaking changes and the versions where those changes occur is in Splunk SOAR (On-premises) upgrade overview and prerequisites. Review that list before upgrading.

Upgrade path table

Look on the following table to find your currently installed Splunk Phantom or Splunk SOAR (On-premises) release to see your complete upgrade path.

Starting version Path to current version Details
4.6.19142
  1. Upgrade to 4.8.24304
  2. Upgrade to 4.9.39220
  3. Upgrade to 4.10.7
  4. Upgrade to 6.2.1
  5. (Conditional) If you have a clustered deployment, or an external PostgreSQL 11.x database, upgrade your external PostgreSQL 11.x database to PostgreSQL 15.x.
  6. Upgrade to 6.3.0
  7. (Conditional) If needed, migrate from CentOS to a supported operating system.
  8. Upgrade to 6.4.0
  9. (Conditional) If needed, migrate to a supported operating system.
  1. Upgrade to 4.8.24304
    1. Single instance upgrade 4.8 Upgrade an unprivileged Splunk Phantom Cluster
    2. Cluster upgrade 4.8 Upgrade an unprivileged Splunk Phantom Cluster
  2. Upgrade to 4.9.39220
    1. Single instance upgrade 4.9 Upgrade an unprivileged Splunk Phantom Cluster
    2. Cluster upgrade 4.9 Upgrade an unprivileged Splunk Phantom Cluster
  3. Upgrade to 4.10.7
    1. Single instance upgrade 4.10.0 - 4.10.7 Upgrade a single unprivileged Splunk Phantom instance
    2. Cluster upgrade 4.10.0 - 4.10.7 Upgrade an unprivileged Splunk Phantom Cluster
  4. Upgrade to 6.2.1
    1. Single instance upgrade to 6.2.1 Upgrade a Splunk SOAR (On-premises) instance
    2. Cluster upgrade to 6.2.1 Upgrade a Splunk SOAR (On-premises) cluster
  5. (Conditional) Clustered deployments or deployments with an external PostgreSQL 11.x database, upgrade PostgreSQL to 15.x
    1. See Upgrading a PostgreSQL Cluster on PostgreSQL.org.
  6. Upgrade to 6.3.0
    1. Single instance upgrade to 6.3.0 Upgrade a Splunk SOAR (On-premises) instance
    2. Cluster upgrade to 6.3.0 Upgrade a Splunk SOAR (On-premises) cluster
  7. (Conditional) If needed, migrate from CentOS to a supported operating system.
  8. Upgrade to 6.4.0
    1. Single instance upgrade to 6.4.0 Upgrade a Splunk SOAR (On-premises) instance
    2. Cluster upgrade to 6.4.0 Upgrade a Splunk SOAR (On-premises) cluster
  9. (Conditional) If needed, migrate to a supported operating system.
4.8.24304
  1. Upgrade to 4.9.39220
  2. Upgrade to 4.10.7
  3. Upgrade to 6.2.1
  4. (Conditional) If you have a clustered deployment, or an external PostgreSQL 11.x database, upgrade your external PostgreSQL 11.x database to PostgreSQL 15.x.
  5. Upgrade to 6.3.0
  6. (Conditional) If needed, migrate from CentOS to a supported operating system.
  7. Upgrade to 6.4.0
  8. (Conditional) If needed, migrate to a supported operating system.
  1. Upgrade to 4.9.39220
    1. Single instance upgrade 4.9 Upgrade an unprivileged Splunk Phantom Cluster
    2. Cluster upgrade 4.9 Upgrade an unprivileged Splunk Phantom Cluster
  2. Upgrade to 4.10.7
    1. Single instance upgrade 4.10.0 - 4.10.7 Upgrade a single unprivileged Splunk Phantom instance
    2. Cluster upgrade 4.10.0 - 4.10.7 Upgrade an unprivileged Splunk Phantom Cluster
  3. Upgrade to 6.2.1
    1. Single instance upgrade to 6.2.1 Upgrade a Splunk SOAR (On-premises) instance
    2. Cluster upgrade to 6.2.1 Upgrade a Splunk SOAR (On-premises) cluster
  4. (Conditional) Clustered deployments or deployments with an external PostgreSQL 11.x database, upgrade PostgreSQL to 15.x
    1. See Upgrading a PostgreSQL Cluster on PostgreSQL.org.
  5. Upgrade to 6.3.0
    1. Single instance upgrade to 6.3.0 Upgrade a Splunk SOAR (On-premises) instance
    2. Cluster upgrade to 6.3.0 Upgrade a Splunk SOAR (On-premises) cluster
  6. (Conditional) If needed, migrate from CentOS to a supported operating system.
  7. Upgrade to 6.4.0
    1. Single instance upgrade to 6.4.0 Upgrade a Splunk SOAR (On-premises) instance
    2. Cluster upgrade to 6.4.0 Upgrade a Splunk SOAR (On-premises) cluster
  8. (Conditional) If needed, migrate to a supported operating system.
4.9.39220
  1. Upgrade to 4.10.7
  2. Upgrade to 6.2.1
  3. (Conditional) If you have a clustered deployment, or an external PostgreSQL 11.x database, upgrade your external PostgreSQL 11.x database to PostgreSQL 15.x.
  4. Upgrade to 6.3.0
  5. (Conditional) If needed, migrate from CentOS to a supported operating system.
  6. Upgrade to 6.4.0
  7. (Conditional) If needed, migrate to a supported operating system.
  1. Upgrade to 4.10.7
    1. Single instance upgrade 4.10.0 - 4.10.7 Upgrade a single unprivileged Splunk Phantom instance
    2. Cluster upgrade 4.10.0 - 4.10.7 Upgrade an unprivileged Splunk Phantom Cluster
  2. Upgrade to 6.2.1
    1. Single instance upgrade to 6.2.1 Upgrade a Splunk SOAR (On-premises) instance
    2. Cluster upgrade to 6.2.1 Upgrade a Splunk SOAR (On-premises) cluster
  3. (Conditional) Clustered deployments or deployments with an external PostgreSQL 11.x database, upgrade PostgreSQL to 15.x
    1. See Upgrading a PostgreSQL Cluster on PostgreSQL.org.
  4. Upgrade to 6.3.0
    1. Single instance upgrade to 6.3.0 Upgrade a Splunk SOAR (On-premises) instance
    2. Cluster upgrade to 6.3.0 Upgrade a Splunk SOAR (On-premises) cluster
  5. (Conditional) If needed, migrate from CentOS to a supported operating system.
  6. Upgrade to 6.4.0
    1. Single instance upgrade to 6.4.0 Upgrade a Splunk SOAR (On-premises) instance
    2. Cluster upgrade to 6.4.0 Upgrade a Splunk SOAR (On-premises) cluster
  7. (Conditional) If needed, migrate to a supported operating system.
4.10.0 - 4.10.6
  1. Upgrade to 4.10.7
  2. Upgrade to 6.2.1
  3. (Conditional) If you have a clustered deployment, or an external PostgreSQL 11.x database, upgrade your external PostgreSQL 11.x database to PostgreSQL 15.x.
  4. Upgrade to 6.3.0
  5. (Conditional) If needed, migrate from CentOS to a supported operating system.
  6. Upgrade to 6.4.0
  7. (Conditional) If needed, migrate to a supported operating system.
 See:
  1. Upgrade to 4.10.7
    1. Single instance upgrade 4.10.0 - 4.10.7 Upgrade a single unprivileged Splunk Phantom instance
    2. Cluster upgrade 4.10.0 - 4.10.7 Upgrade an unprivileged Splunk Phantom Cluster
  2. Upgrade to 6.2.1
    1. Single instance upgrade to 6.2.1 Upgrade a Splunk SOAR (On-premises) instance
    2. Cluster upgrade to 6.2.1 Upgrade a Splunk SOAR (On-premises) cluster
  3. (Conditional) Clustered deployments or deployments with an external PostgreSQL 11.x database, upgrade PostgreSQL to 15.x
    1. See Upgrading a PostgreSQL Cluster on PostgreSQL.org.
  4. Upgrade to 6.3.0
    1. Single instance upgrade to 6.3.0 Upgrade a Splunk SOAR (On-premises) instance
    2. Cluster upgrade to 6.3.0 Upgrade a Splunk SOAR (On-premises) cluster
  5. (Conditional) If needed, migrate from CentOS to a supported operating system.
  6. Upgrade to 6.4.0
    1. Single instance upgrade to 6.4.0 Upgrade a Splunk SOAR (On-premises) instance
    2. Cluster upgrade to 6.4.0 Upgrade a Splunk SOAR (On-premises) cluster
  7. (Conditional) If needed, migrate to a supported operating system.
4.10.7
  1. Upgrade to 6.2.1
  2. (Conditional) If you have a clustered deployment, or an external PostgreSQL 11.x database, upgrade your external PostgreSQL 11.x database to PostgreSQL 15.x.
  3. Upgrade to 6.3.0
  4. (Conditional) If needed, migrate from CentOS to a supported operating system.
  5. Upgrade to 6.4.0
  6. (Conditional) If needed, migrate to a supported operating system.
  1. Upgrade to 6.2.1
    1. Single instance upgrade to 6.2.1 Upgrade a Splunk SOAR (On-premises) instance
    2. Cluster upgrade to 6.2.1 Upgrade a Splunk SOAR (On-premises) cluster
  2. (Conditional) Clustered deployments or deployments with an external PostgreSQL 11.x database, upgrade PostgreSQL to 15.x
    1. See Upgrading a PostgreSQL Cluster on PostgreSQL.org.
  3. Upgrade to 6.3.0
    1. Single instance upgrade to 6.3.0 Upgrade a Splunk SOAR (On-premises) instance
    2. Cluster upgrade to 6.3.0 Upgrade a Splunk SOAR (On-premises) cluster
  4. (Conditional) If needed, migrate from CentOS to a supported operating system.
  5. Upgrade to 6.4.0
    1. Single instance upgrade to 6.4.0 Upgrade a Splunk SOAR (On-premises) instance
    2. Cluster upgrade to 6.4.0 Upgrade a Splunk SOAR (On-premises) cluster
  6. (Conditional) If needed, migrate to a supported operating system.
5.0.1 - 6.1.0
  1. Upgrade to 6.2.1
  2. (Conditional) If you have a clustered deployment, or an external PostgreSQL 11.x database, upgrade your external PostgreSQL 11.x database to PostgreSQL 15.x.
  3. Upgrade to 6.3.0
  4. (Conditional) If needed, migrate from CentOS to a supported operating system.
  5. Upgrade to 6.4.0
  6. (Conditional) If needed, migrate to a supported operating system.
  1. Upgrade to 6.2.1
    1. Single instance upgrade to 6.2.1 Upgrade a Splunk SOAR (On-premises) instance
    2. Cluster upgrade to 6.2.1 Upgrade a Splunk SOAR (On-premises) cluster
  2. (Conditional) Clustered deployments or deployments with an external PostgreSQL 11.x database, upgrade PostgreSQL to 15.x
    1. See Upgrading a PostgreSQL Cluster on PostgreSQL.org.
  3. Upgrade to 6.3.0
    1. Single instance upgrade to 6.3.0 Upgrade a Splunk SOAR (On-premises) instance
    2. Cluster upgrade to 6.3.0 Upgrade a Splunk SOAR (On-premises) cluster
  4. (Conditional) If needed, migrate from CentOS to a supported operating system.
  5. Upgrade to 6.4.0
    1. Single instance upgrade to 6.4.0 Upgrade a Splunk SOAR (On-premises) instance
    2. Cluster upgrade to 6.4.0 Upgrade a Splunk SOAR (On-premises) cluster
  6. (Conditional) If needed, migrate to a supported operating system.
6.1.1
  1. (Conditional) If you have a clustered deployment, or an external PostgreSQL 11.x database, upgrade your external PostgreSQL 11.x database to PostgreSQL 15.x.
  2. (Conditional) If you upgraded your external PostgreSQL database to 15.x in the previous step, then upgrade to 6.3.0.
  3. (Conditional) If you are using the embedded PostgreSQL database in your Splunk SOAR (On-premises) deployment, then upgrade to 6.2.1.
  4. Upgrade to 6.3.0
  5. (Conditional) If needed, migrate from CentOS to a supported operating system.
  6. Upgrade to 6.4.0
  7. (Conditional) If needed, migrate to a supported operating system.
  1. (Conditional) Clustered deployments or deployments with an external PostgreSQL 11.x database, upgrade PostgreSQL to 15.x
    1. See Upgrading a PostgreSQL Cluster on PostgreSQL.org.
  2. (Conditional) If you upgraded your external PostgreSQL database to 15.x in the previous step, then upgrade to 6.3.0.
    1. Single instance upgrade to 6.3.0 Upgrade a Splunk SOAR (On-premises) instance
    2. Cluster upgrade to 6.3.0 Upgrade a Splunk SOAR (On-premises) cluster
  3. (Conditional) If you are using the embedded PostgreSQL database, upgrade to 6.2.1
    1. Single instance upgrade to 6.2.1 Upgrade a Splunk SOAR (On-premises) instance
  4. Upgrade to 6.3.0
    1. Single instance upgrade to 6.3.0 Upgrade a Splunk SOAR (On-premises) instance
    2. Cluster upgrade to 6.3.0 Upgrade a Splunk SOAR (On-premises) cluster
  5. (Conditional) If needed, migrate from CentOS to a supported operating system.
  6. Upgrade to 6.4.0
    1. Single instance upgrade to 6.4.0 Upgrade a Splunk SOAR (On-premises) instance
    2. Cluster upgrade to 6.4.0 Upgrade a Splunk SOAR (On-premises) cluster
  7. (Conditional) If needed, migrate to a supported operating system.
6.2.0
  1. (Conditional) If you have a clustered deployment, or an external PostgreSQL 11.x database, upgrade your external PostgreSQL 11.x database to PostgreSQL 15.x.
  2. (Conditional) If you upgraded your external PostgreSQL database to 15.x in the previous step, then upgrade to 6.3.0.
  3. Upgrade to 6.3.0
  4. (Conditional) If needed, migrate from CentOS to a supported operating system.
  5. Upgrade to 6.4.0
  6. (Conditional) If needed, migrate to a supported operating system.
  1. (Conditional) Clustered deployments or deployments with an external PostgreSQL 11.x database, upgrade PostgreSQL to 15.x
    1. See Upgrading a PostgreSQL Cluster on PostgreSQL.org.
  2. (Conditional) If you upgraded your external PostgreSQL database to 15.x in the previous step, then upgrade to 6.3.0.
    1. Single instance upgrade to 6.3.0 Upgrade a Splunk SOAR (On-premises) instance
    2. Cluster upgrade to 6.3.0 Upgrade a Splunk SOAR (On-premises) cluster
  3. Upgrade to 6.3.0
    1. Single instance upgrade to 6.3.0 Upgrade a Splunk SOAR (On-premises) instance
    2. Cluster upgrade to 6.3.0 Upgrade a Splunk SOAR (On-premises) cluster
  4. (Conditional) If needed, migrate from CentOS to a supported operating system.
  5. Upgrade to 6.4.0
    1. Single instance upgrade to 6.4.0 Upgrade a Splunk SOAR (On-premises) instance
    2. Cluster upgrade to 6.4.0 Upgrade a Splunk SOAR (On-premises) cluster
  6. (Conditional) If needed, migrate to a supported operating system.
6.2.1
  1. (Conditional) If you have a clustered deployment, or an external PostgreSQL 11.x database, upgrade your external PostgreSQL 11.x database to PostgreSQL 15.x.
  2. Upgrade to 6.3.0
  3. (Conditional) If needed, migrate from CentOS to a supported operating system.
  4. Upgrade to 6.4.0
  5. (Conditional) If needed, migrate to a supported operating system.
  1. (Conditional) Clustered deployments or deployments with an external PostgreSQL 11.x database, upgrade PostgreSQL to 15.x
    1. See Upgrading a PostgreSQL Cluster on PostgreSQL.org.
  2. Upgrade to 6.3.0
    1. Single instance upgrade to 6.3.0 Upgrade a Splunk SOAR (On-premises) instance
    2. Cluster upgrade to 6.3.0 Upgrade a Splunk SOAR (On-premises) cluster
  3. (Conditional) If needed, migrate from CentOS to a supported operating system.
  4. Upgrade to 6.4.0
    1. Single instance upgrade to 6.4.0 Upgrade a Splunk SOAR (On-premises) instance
    2. Cluster upgrade to 6.4.0 Upgrade a Splunk SOAR (On-premises) cluster
  5. (Conditional) If needed, migrate to a supported operating system.
6.2.2
  1. Upgrade to 6.3.0
  2. (Conditional) If needed, migrate from CentOS to a supported operating system.
  3. Upgrade to 6.4.0
  4. (Conditional) If needed, migrate to a supported operating system.
  1. Upgrade to 6.3.0
    1. Single instance upgrade to 6.3.0 Upgrade a Splunk SOAR (On-premises) instance
    2. Cluster upgrade to 6.3.0 Upgrade a Splunk SOAR (On-premises) cluster
  2. (Conditional) If needed, migrate from CentOS to a supported operating system.
  3. Upgrade to 6.4.0
    1. Single instance upgrade to 6.4.0 Upgrade a Splunk SOAR (On-premises) instance
    2. Cluster upgrade to 6.4.0 Upgrade a Splunk SOAR (On-premises) cluster
  4. (Conditional) If needed, migrate to a supported operating system.
6.3.0
  1. Upgrade to 6.4.0
  2. (Conditional) If needed, migrate to a supported operating system.
  1. Upgrade to 6.4.0
    1. Single instance upgrade to 6.4.0 Upgrade a Splunk SOAR (On-premises) instance
    2. Cluster upgrade to 6.4.0 Upgrade a Splunk SOAR (On-premises) cluster
  2. (Conditional) If needed, migrate to a supported operating system.
6.3.1
  1. Upgrade to 6.4.0
  2. (Conditional) If needed, migrate to a supported operating system.
  1. Upgrade to 6.4.0
    1. Single instance upgrade to 6.4.0 Upgrade a Splunk SOAR (On-premises) instance
    2. Cluster upgrade to 6.4.0 Upgrade a Splunk SOAR (On-premises) cluster
  2. (Conditional) If needed, migrate to a supported operating system.
6.4.0.90
  1. Upgrade to 6.4.0.92
  2. (Conditional) If needed, migrate to a supported operating system.

If you previously upgraded to release 6.4.0.90, you should either patch your instance of 6.4.0.90 or upgrade to release 6.4.0.92 to correct a potential Automation Broker issue. For patching instructions, see https://splunk.my.site.com/customer/s/article/SOAR-6-4-0-90-on-prem-Automation-Broker-patch

  1. Upgrade to 6.4.0.92
    1. Single instance upgrade to 6.4.0 Upgrade a Splunk SOAR (On-premises) instance
    2. Cluster upgrade to 6.4.0 Upgrade a Splunk SOAR (On-premises) cluster
  2. (Conditional) If needed, migrate to a supported operating system.


Example

To upgrade from Splunk Phantom release 4.6 to Splunk SOAR (On-premises) 6.4.0:

  1. Upgrade your Splunk Phantom to release 4.8.24304
  2. Upgrade Splunk Phantom to release 4.9.39220
  3. Upgrade Splunk Phantom to release 4.10.7.63984
  4. Upgrade to Splunk SOAR (On-premises) release 6.2.1
  5. Upgrade to Splunk SOAR (On-premises) release 6.3.0
  6. If needed, migrate from CentOS to a supported operating system.
  7. Upgrade to 6.4.0.92
  8. (Conditional) If needed, migrate to a supported operating system.
Last modified on 21 March, 2025
Upgrade path for Splunk SOAR (On-premises) privileged installations   Prepare your Splunk SOAR (On-premises) deployment for upgrade

This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.4.0

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters