Splunk® Phantom (Legacy)

Install and Upgrade Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

About Splunk Phantom clusters

Splunk Phantom supports clustering.

A cluster consists of a minimum of three instances of Splunk Phantom and its supporting external services; file shares, a PostgreSQL database or database cluster, Splunk Enterprise, and at least one load balancer, such as HAProxy.

Splunk Phantom clustering uses additional technologies to support the cluster which are not required in a single instance deployment of the OVA virtual machine image;

  • GlusterFS for file shares. Other file systems, such as NFS can be used instead of GlusterFS.
  • Consul to provide action locking as needed.
  • RabbitMQ to provide a fast, reliable messaging bus.
  • HAProxy as a load balancer. Alternate load balancers can be used instead of HAProxy.

In a cluster, both the PostgreSQL database and the deployment of Splunk Enterprise are externalized from the Splunk Phantom instances. This allows you to scale your database and Splunk Enterprise deployments separately from the Splunk Phantom nodes.

Before creating a cluster, work with your Splunk Phantom delivery team representative to assess your needs and design your cluster.

Why build a Splunk Phantom Cluster?

Clustering addresses several important needs:

  • Clustering adds horizontal scaling for Splunk Phantom workloads, allowing for increased capacity.
  • Clustering adds redundancy for the Splunk Phantom platform. One or more cluster nodes can fail and you still have a functioning deployment of Splunk Phantom.
  • Clustering removes system downtime for upgrades or maintenance. You can upgrade individual Splunk Phantom cluster nodes without taking the entire deployment offline.

Building a Splunk Phantom cluster

Clusters can be built in the following ways.

  1. Convert virtual appliances installed using an OVA to a server or cluster node. You can convert a virtual appliance to a specific role using provided scripts. See Create a Splunk Phantom Cluster from an OVA installation.

    Converting a Splunk Phantom virtual appliance to a server or cluster node is a one-way operation. It cannot be reverted.

  2. From privileged installations, where required services are provided by servers external to Splunk Phantom. Each Splunk Phantom node is converted from an .rpm or .tar file installation using the make_cluster_node.pyc script. See Create a Splunk Phantom Cluster from an RPM or TAR file installation.
  3. From unprivileged installations, where required services are provided by servers external to Splunk Phantom. Each Splunk Phantom node is converted from an .rpm or .tar file installation using the make_cluster_node.pyc script. See Create a Splunk Phantom cluster using an unprivileged installation.
Last modified on 03 August, 2021
Log in to the Splunk Phantom web interface   Create a Splunk Phantom Cluster from an OVA installation

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters