Splunk SOAR (On-premises) upgrade overview and prerequisites (2024)

Table of Contents
Upgrade overview checklist Important changes between releases Prerequisites for upgrading Splunk SOAR (On-premises) Additional disk space requirements for upgrading PostgreSQL Upgrade Splunk SOAR (On-premises)

Splunk Phantom and Splunk SOAR (On-premises) releases are numbered as <major>.<minor>.<patch>.<build>.

Examples:

  • Splunk Phantom 4.10.7.63984 is major version 4, minor version 10, patch version 7, build number 63984.
  • Splunk SOAR (On-premises) 5.3.5.97812 major version 5, minor version 3, patch version 5, build number 97812.
  • Splunk SOAR (On-premises) 6.0.0.114895 major version 6, minor version 0, patch version 0, build number 114895.
  • Splunk SOAR (On-premises) 6.0.1.123902 major version 6, minor version 0, patch version 1, build number 123902.
  • Splunk SOAR (On-premises) 6.0.2.127725 major version 6, minor version 0, patch version 2, build number 127725.
  • Splunk SOAR (On-premises) 6.1.0.112 major version 6, minor version 1, patch version 0, build number 112.
  • Splunk SOAR (On-premises) 6.1.1.211 major version 6, minor version 1, patch version 1, build number 211.
  • Splunk SOAR (On-premises) 6.2.0.355 major version 6, minor version 2, patch version 0, build number 355.

Upgrade overview checklist

Follow these steps to prepare for and then upgrade :

See Also
Upgrade the Splunk Add-on for ServiceNowDetermine which version of Splunk Enterprise you're runningUpgrade your Forwarders - Splunk DocumentationSplexicon:Heavyforwarder - Splunk Documentation

StepTasksDescription
1Identify your upgrade path.See:
  • Upgrade path for Splunk SOAR (On-premises) privileged installations
  • Upgrade path for Splunk SOAR (On-premises) unprivileged installations

You will need to plan your upgrades by identifying your currently installed Splunk Phantom or Splunk SOAR (On-premises) release, then path to your destination release. You must follow the path from your currently installed release to the desired destination release.

2Make a full backup of your deploymentMake a full backup of your deployment before upgrading. See Backup or restore your instance in Administer .

For single instance deployments running as a virtual machine, you can create a snapshot of the virtual machine instead.

3Perform the prerequisitesSee Prerequisites for upgrading .
  1. Obtain logins
  2. Make sure the instance or cluster nodes have enough available space.

    In order to upgrade Splunk SOAR (On-premises) to release 6.2.0 or higher, you may need additional disk space. Additional disk space may be needed because the PostgreSQL database is being migrated from PostgreSQL 11.x to PostgreSQL 15.x.

    See Additional disk space requirements for upgrading PostgreSQL in this topic for more information.
  3. Conditional: Turn off warm standby. See Warm standby feature overview
  4. Conditional: Turn off scheduled backups. For example, if you scheduled backups with a cron job, deactivate the cron job to turn them off.
4Prepare your system for upgradeSee Prepare your Splunk SOAR (On-premises) deployment for upgrade.
5Conditional: Convert a privileged deployment to an unprivileged deployment.See Convert a privileged Splunk SOAR (On-premises) deployment to an unprivileged deployment.
6Upgrade See Upgrade .

After all the preparation stages are complete, you can upgrade your instance or cluster. For clustered deployments, after the preparation stages are complete, upgrade your cluster in a rolling fashion, one node at a time.

7Conditional: Repair indicator hashes for non-federal information processing standards (FIPS) deployments.If you are upgrading a non-FIPS instance, you must run the following script after running the installation script: repair_520_indicators.sh. That script is located in <$PHANTOM_HOME>/bin/. You may optionally pass the batch size as an argument: repair_520_indicators.sh <batch_size>. The default batch size is 1000. You can restart the script at any time. The script terminates after execution.
  • In clustered configurations, run this script on any single node.
  • In configurations using warm standby, run this script only on the primary system.
8Conditional: Rerun the setup command for ibackupSee Prepare for a backup in Administer .
9Conditional: Reestablish warm standby.See Warm standby feature overview.

Important changes between releases

This table lists versions of Splunk Phantom and Splunk SOAR (On-premises) product where important changes are introduced. Some of these changes may impact your upgrade plans. Review this table carefully before planning your upgrade.

ReleaseImportant changes
4.8.24304
  • Added support for Python 3.6 for apps
4.9.39220
  • Removed support for PostgreSQL 9.6
  • Added support for PostgreSQL 11.6
4.10.x
  • Major.minor.patch.build numbering system introduced
  • End of support for RHEL and CentOS 6
  • Added support for Python 3.6 for playbooks
  • Support for TLS 1.1 ends with Splunk Phantom 4.10.5
5.0.1
  • The name of the product changed from Splunk Phantom to Splunk SOAR (On-premises)
5.2.1
  • FIPS support becomes available for new, unprivileged deployments of Splunk SOAR (On-premises) 5.2.1. Splunk SOAR (On-premises) deployments installed in FIPS-compatible mode can only be upgraded in FIPS-compatible mode.
5.3.0
  • Python upgraded from 3.6 to 3.9
  • The format for Splunk SOAR (On-premises) installation packages and scripts were overhauled in 5.3.0
  • There is no longer a separate installation package for systems with limited Internet access, the TAR file for installations contains all required dependencies.
  • Expanded support for PostgreSQL versions to 11.x
5.3.3
  • Support for Python 2 was deprecated
5.3.4
  • Support for Python 2 was removed. Playbooks and apps written in python 2 are disabled.
5.3.5
  • Support for privileged installation of Splunk SOAR (on-premises) ends. Any privileged installations must be converted to unprivileged for further upgrades.
5.3.6
  • 5.3.6 includes improvements to the upgrade process. You can upgrade privileged deployments of Splunk Phantom release 4.10.7 or Splunk SOAR (On-premises) releases 5.0.1 through 5.3.5 directly to release 5.3.6.
  • 5.3.6 includes improvements to the tools for migrating a privileged deployments to unprivileged.
  • Support for privileged installation of Splunk SOAR (on-premises) ends. Any privileged installations must be converted to unprivileged for further upgrades.
5.5.0
  • Support added for Red Hat Enterprise Linux 8
  • Support added for Amazon Linux 2
6.0.0
  • Default administrative user is now called soar_local_admin. For details, see Welcome to Splunk SOAR (On-premises) 6.0.0 in the Splunk SOAR (On-premises) Release Notes.
6.0.1
  • You can now upgrade directly to the latest Splunk SOAR (On-premises) version.
  • Encryption algorithm for SAML updated from rsa-1_5 to rsa-oaep-mgf1p.
6.0.2
  • Includes all updates found in 6.0.0 and 6.0.1. Fixes issues with 6.0.0 and 6.0.1.
6.1.0
  • Unprivileged deployments of Splunk Phantom 4.10.7 and all unprivileged deployments of Splunk SOAR (On-premises) can now upgrade from any earlier release directly to release 6.1.0.
6.1.1
  • Added support for external PostgreSQL 15.x databases.
  • Unprivileged deployments of Splunk Phantom 4.10.7 and all unprivileged deployments of Splunk SOAR (On-premises) can now upgrade from any earlier release directly to release 6.1.1 or later.
6.2.0
  • Upgraded internal PostgreSQL databases to version 15.
  • Replaced embedded copy of Splunk Enterprise with Universal Forwarders.

Prerequisites for upgrading Splunk SOAR (On-premises)

You need the following information before beginning your upgrade:

  • Logins
    • For unprivileged deployments, you need the login credentials for the user account that runs . For new AMI versions of , the user account is phantom.

      See What's new in 6.0.0 in Release Notes for important information about the change to the default administrator user account.

    • Your Splunk Phantom Community portal login.
  • A minimum of 5GB of space available in the /tmp directory on the instance or cluster node.
  • Enough free disk space in <$PHANTOM_HOME>/data/ and its subdirectories to allow for the upgrade of PostgreSQL. See Additional disk space requirements for upgrading PostgreSQL in this topic for more information.
  • Make note of the directory where is installed.
    • On an unprivileged AMI, or virtual machine image deployment - /opt/phantom, also called <$PHANTOM_HOME>.
    • On an unprivileged deployment - the home directory of the user account that will run , also called <$PHANTOM_HOME>.
  • Conditional: If your deployment uses the warm standby feature, turn off warm standby. See Warm standby feature overview.
  • Conditional: Turn off scheduled backups. For example, if you scheduled backups with a cron job, deactivate the cron job to turn them off.

Additional disk space requirements for upgrading PostgreSQL

In order to upgrade to Splunk SOAR (On-premises) release 6.2.0 or higher, the disk partition that holds <$PHANTOM_HOME>/data/ and its subdirectories needs to be large enough to hold a copy of both the PostgreSQL 11.x database and the PostgreSQL 15.x database.

See Also
Upgrade Splunk Enterprise Security - Splunk Documentation

  • If you have mounted the <$PHANTOM_HOME>/data/db/ partition elsewhere, you must make sure that mount is large enough to accommodate the upgrade.
  • During the upgrade, your existing Splunk SOAR (On-premises) PostgreSQL 11.x database will be moved to <$PHANTOM_HOME>/data/db/db.old/. This copy is used as part of the migration to copy your existing data into the new database, and as a data integrity precaution.
  • After the upgrade, your new PostgreSQL 15.x database will be located in the same location as the previous PostgreSQL 11.x database, <$PHANTOM_HOME>/data/db/.

Do the following steps before upgrading to make sure you have sufficient space for the upgrade:

  1. Check the size of your current PostgreSQL 11.x database directory. 
    du -sh <$PHANTOM_HOME>/data/db/

    Example output:

    [phantom@localhost db]$ du -sh /opt/phantom/data/db/102G /opt/phantom/data/db/
  2. Use the output from the disk usage command to calculate the minimum requirement of 225% (2.25 times) the disk space. 
    <du output> * 2.25 = <minimum required disk space to upgrade PostgreSQL>

    Calculation:

    102G * 2.25 = 229.5G
  3. Locate your <$PHANTOM_HOME>/data/db/ directory.
    grep "<$PHANTOM_HOME>/data/db/" /proc/mounts

    If this command returns nothing, your directory is mounted in the default location <$PHANTOM_HOME>/data/db/.

  4. If your current <$PHANTOM_HOME>/data/ partition does not have at least as much available space as calculated in step 2, you must increase the size of the <$PHANTOM_HOME>/data/ partition to have at least that much available space.

Upgrade Splunk SOAR (On-premises)

When you are ready to upgrade , follow one of these sets of instructions, based on your deployment type:

  • Upgrade a Splunk SOAR (On-premises) instance
  • Upgrade a Splunk SOAR (On-premises) cluster
Splunk SOAR (On-premises) upgrade overview and prerequisites (2024)
Top Articles
Civil Engineer CV Example + Template (2022 Guide) - CV Plaza
How To Call a Script Include from a Business Rule - The Snowball
วันที่วางจำหน่าย DBD Tome 19, การนับถอยหลังเวลา และอัพเดตบันทึกการแก้ไข 7.7.0
[20 อันดับแรก] DbD ผู้รอดชีวิตที่ดีที่สุด Perks ที่จะมี (อยู่ในอันดับดีถึงดีที่สุด)
Latest Posts
Best Business Setup Consultants in Dubai
15 Best Business Setup Consultants in Dubai, UAE | GMI
Article information

Author: Jamar Nader

Last Updated:

Views: 6498

Rating: 4.4 / 5 (75 voted)

Reviews: 90% of readers found this page helpful

Author information

Name: Jamar Nader

Birthday: 1995-02-28

Address: Apt. 536 6162 Reichel Greens, Port Zackaryside, CT 22682-9804

Phone: +9958384818317

Job: IT Representative

Hobby: Scrapbooking, Hiking, Hunting, Kite flying, Blacksmithing, Video gaming, Foraging

Introduction: My name is Jamar Nader, I am a fine, shiny, colorful, bright, nice, perfect, curious person who loves writing and wants to share my knowledge and understanding with you.