Splunk® Phantom

Install and Upgrade Splunk Phantom

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Create a Splunk Phantom Cluster from an OVA installation

Converting a Splunk Phantom virtual machine to a server or cluster node is a one-way operation. It cannot be reverted.

Build a cluster with a single Shared Services server

The most basic version of a Splunk Phantom cluster is a single Shared Services server connected to multiple instances of Splunk Phantom.

This configuration is not recommended for production use. This mode is primarily intended for Proof of Value or demonstrations. A single Shared Services server becomes a single point of failure. Any problems on the Shared Services server impact your entire Splunk Phantom cluster.

Use the following checklist for a Single Shared Services server

Number Task Description
1 Create the Shared Services server.
  1. Install a privileged instance of Splunk Phantom using RPM. See Install Splunk Phantom to an existing server with RPM.
  2. Run the make_server_node.pyc script to build your Shared Services server. See Run make_server_node.pyc.
2 Install Splunk Phantom cluster nodes.
  1. Install Splunk Phantom as a virtual machine image, once for each node you need in your cluster. See Install Splunk Phantom as a virtual appliance.
  2. Make the first cluster node. See Run make_cluster_node.pyc.
  3. Make additional cluster nodes.

Build a cluster with external service services

Build a more robust cluster, putting each of the services on its own server or group of servers to serve multiple cluster nodes of Splunk Phantom.

Use the following checklist for a virtual machine images cluster with external services

Number Task Description
1 Create the HAProxy node.
  1. Install a privileged instance of Splunk Phantom using RPM. See Install Splunk Phantom to an existing server with RPM.
  2. Run make_server_node install proxy. See Run make_server_node.pyc.
2 Create the PostgreSQL node.
  1. Install a privileged instance of Splunk Phantom using RPM. See Install Splunk Phantom to an existing server with RPM.
  2. Run make_server_node install db. See Run make_server_node.pyc.
3 Create the file shares node
  1. Install a privileged instance of Splunk Phantom using RPM. See Install Splunk Phantom to an existing server with RPM.
  2. Run make_server_node install fs. See Run make_server_node.pyc.
4 Create the Splunk Enterprise node
  1. Install a privileged instance of Splunk Phantom using RPM. See Install Splunk Phantom to an existing server with RPM.
  2. Run make_server_node install splunk. See Run make_server_node.pyc.
5 Install Splunk Phantom cluster nodes.
  1. Install Splunk Phantom as a virtual appliance, once for each node you need in your cluster. See Install Splunk Phantom as a virtual appliance.
  2. Run make_cluster_node.pyc to make the first cluster node. See Run make_cluster_node.pyc.
  3. Make additional cluster nodes.
Last modified on 08 January, 2021
PREVIOUS
About Splunk Phantom clusters
  NEXT
Create a Splunk Phantom cluster from an RPM or TAR file installation

This documentation applies to the following versions of Splunk® Phantom: 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters