Install Splunk Phantom as a virtual appliance
Splunk Phantom is delivered as a virtual machine image in .OVA format.
Download the virtual appliance image from the Splunk Phantom Community site on the Products page.
For evaluation or test environments, use a hypervisor or virtual machine management application such as VMware Fusion®, VMware Fusion Pro®, VMware Workstation Player®, VMware Workstation Pro®, or Oracle® VirtualBox.
For production environments, use VMware ESXi™ or VMware vSphere® version 5 or higher.
Install Splunk Phantom with VMware vSphere ESXi or VMware vSphere
These instructions might not be an exact match for the way your VMware vSphere or ESXi products configured. Consult your vSphere administrator or the documentation on the VMware website for more options.
You can use thin provisioning and install VMware Tools with Splunk Phantom.
- Log in to the correct vSphere or vCenter asset.
- From the File menu, select Deploy OVF Template.
- Click Browse to locate the downloaded OVA file.
- Click Next.
- Fill out the remaining settings options. Consult the VMware documentation on the VMware website or your VMware administrator.
- Click Finish.
Install Splunk Phantom with VMware Fusion® or VMware Fusion Pro®
For more detailed information on installing virtual machine images, consult the VMware Fusion or VMware Fusion Pro documentation.
- Open VMware Fusion or VMware Fusion Pro.
- From the File menu, select New.
- Click More options.
- Click Import an existing virtual machine.
- Click Choose File. Navigate to the Splunk Phantom OVA file.
- Click Open.
- Follow the remaining prompts to launch the virtual appliance.
Install Splunk Phantom with VMware Workstation Pro®
For more detailed information on installing virtual machine images, consult the VMware Workstation Pro documentation.
- Open VMware Workstation Pro.
- Click Open a Virtual Machine.
- Navigate to the Splunk Phantom OVA file.
- Click Open.
- Type a name and storage path for the virtual appliance.
- Click Import.
- Click Power on this virtual machine.
Install Splunk Phantom with VMware Workstation Player®
For more detailed information on installing virtual machine images, consult the VMware Workstation Player documentation.
- Open VMware Workstation Player.
- Click Open a Virtual Machine.
- Navigate to the Splunk Phantom OVA file.
- Click Open.
- Type a name and storage path for the virtual appliance.
- Click Import.
- Click Play virtual machine.
If you are prompted to connect additional devices, such as sound cards or USB ports to the virtual machine, decline. These devices are not required to run Splunk Phantom.
Install Splunk Phantom with Oracle® VirtualBox
For more detailed information on using Oracle VirtualBox to run virtual machine images, consult the VirtualBox end-user documentation on VirtualBox.org.
- Start Oracle VirtualBox.
- From the File menu, select Import Appliance.
- Select the folder icon to navigate to the Splunk Phantom OVA.
- Click Open.
- Click Continue.
- Click base_vm_centos_7.
- Click Start.
Complete the Splunk Phantom OVA install
These steps must be completed after the Splunk Phantom virtual appliance has been installed in your virtual machine manager.
At first boot, Splunk Phantom does several actions automatically:
- Display a splash screen.
- Generate a self-signed SSL certificate.
- Prompt you to set the root and user account password.
- Display a configuration menu.
Set operating system passwords
You must set a password. This password is set for both the virtual appliance's operating system user accounts root and user.
Remote SSH is disabled for the root user. The account user has sudo permissions. Use that account to administer the operating system.
- Type a password. Save this password somewhere safe.
- Type the password a second time to confirm it.
Once the password has been set, the configuration menu appears.
Assign an IP address to the virtual appliance
The Splunk Phantom virtual appliance is a server. It requires a static IP address for production environments. You can use DHCP for a test environment.
You can navigate the menu using keyboard arrow keys or the tab key to cycle through options.
- From the menu, select Configure Network.
- Click OK.
- Select Static to configure a static IP address for Splunk Phantom.
- Click OK.
- Type the IP address, netmask, gateway, nameserver 1, and nameserver 2.
- Click OK.
Next step: log in to verify the installation
You can log in to the Splunk Phantom web interface after the setup script completes to configure user accounts and additional settings. See Log in to the Splunk Phantom web interface.
Install Splunk Phantom using the Amazon Marketplace Image | Install Splunk Phantom to an existing server with RPM |
This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9
Feedback submitted, thanks!