Do these steps as the phantom user.

1. If the primary instance of Splunk SOAR (On-premises) is online, you must stop all Splunk SOAR (On-premises) services. The warm standby will not take over if it detects that the primary instance is still operating.

   /<PHANTOM_HOME>/bin/stop_phantom.sh

2. SSH to your warm standby Splunk SOAR (On-premises) instance.

    SSH <username>@<warm_standby_phantom_hostname> 

3. Run the setup_warm_standby.pyc script to convert the standby to the primary.
   On Splunk SOAR (On-premises) instances version 4.6.19142 or newer:

   phenv python /<PHANTOM_HOME>/bin/setup_warm_standby.pyc --standby-mode --convert-to-primary --ignore-package-updates

   On Splunk SOAR (On-premises) instances version 4.6.18265 or earlier:

   phenv python /<PHANTOM_HOME>/bin/setup_warm_standby.pyc --standby-mode --convert-to-primary

4. Update DNS to resolve the hostname of your Splunk SOAR (On-premises) instance to the IP address of the new primary.
   Note: If your former Splunk SOAR (On-premises) primary instance was paired with Splunk Enterprise Security, you may need to reestablish the pairing. See Pair Splunk SOAR (On-premises) with Splunk Enterprise Security in Administer Splunk SOAR (On-premises).
5. If you are ingesting from external services, you will need to update their configurations to use the new primary. Elasticsearch users will need to manually reindex in Main Menu > Administration > Administration Settings > Search Settings.

After the failover procedure, the warm standby is now the primary instance of Splunk SOAR (On-premises). The previous primary should be offline.