Splunk® Phantom App for Splunk

Use the Splunk Phantom App for Splunk to Forward Events

Acrobat logo Download manual as PDF


Splunk Phantom App for Splunk has been replaced by Splunk App for SOAR Export.
Acrobat logo Download topic as PDF

Install the Splunk Phantom App for Splunk on Splunk Enterprise

Install the Splunk Phantom App for Splunk on a single search head, search head cluster environment, or distributed Splunk Enterprise deployment.

Install the Splunk Phantom App for Splunk on a single search head

To install the Splunk Phantom App for Splunk on a single search head, follow these steps:

  1. Download Splunk Phantom App for Splunk from Splunkbase.
  2. Log into your Splunk platform instance.
  3. In the apps panel, click the gear icon.
  4. Click Install app from file.
  5. Upload the Splunk Phantom App for Splunk file you downloaded earlier in this procedure.
  6. Confirm that you want to restart Splunk Enterprise to complete the installation.

You can also search for and download the Splunk Phantom App for Splunk within Splunk Enterprise.

Install the Splunk Phantom App for Splunk in a search head cluster

Use a deployer to install the Splunk Phantom App for Splunk in a search head cluster environment. See Use the deployer to distribute apps and configuration updates in the Splunk Enterprise Distributed Search manual.

Authorize the Splunk Phantom App for Splunk in the Splunk cluster captain node's server.conf file so that configuration changes made to the Splunk Phantom App for Splunk can be replicated within the search head cluster.

  1. Edit the $SPLUNK_HOME/etc/system/local/server.conf file.
  2. Add the following configuration:
    [shclustering]
    conf_replication_include.phantom  = true
    
  3. Restart Splunk Enterprise for the changes to take effect.

Install the Splunk Phantom App for Splunk in a distributed Splunk Enterprise environment

Use the tables below to determine where and how to install the Splunk Phantom App for Splunk in a distributed Splunk Enterprise deployment.

Where to install the app in a distributed deployment

Use the table to determine where to install the Splunk Phantom App for Splunk in a distributed Splunk Enterprise deployment.

Splunk instance type Install the add-on here? Comments
Search Heads Yes Install this add-on on the search head.
Indexers Yes The add-on provides an indexes.conf file to create the phantom_modalert index.
Forwarders No The add-on does not contain inputs for forwarder data collection.

Distributed deployment compatibility

Use the table to check the compatibility of the Splunk Phantom App for Splunk with Splunk Enterprise distributed deployment features.

Distributed deployment feature Supported Comments
Search Head Clusters Yes Use the search head cluster deployer to distribute the add-on across search head cluster members. See Use the deployer to distribute apps and configuration updates in the Splunk Enterprise Distributed Search manual.
Indexer Clusters Yes The add-on provides an indexes.conf file to create the phantom_modalert index.
Deployment Server No The add-on does not contain inputs for forwarder data collection.
Last modified on 13 September, 2021
PREVIOUS
What you need to install the Splunk Phantom App for Splunk on Splunk Enterprise
  NEXT
Upgrade the Splunk Phantom App for Splunk on Splunk Enterprise

This documentation applies to the following versions of Splunk® Phantom App for Splunk: 4.1.73


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters