Splunk® Phantom (Legacy)

Install and Upgrade Splunk Phantom

This documentation does not apply to the most recent version of Splunk® Phantom (Legacy). For documentation on the most recent version, go to the latest release.

Install Splunk Phantom as a virtual appliance

Splunk Phantom is delivered as a virtual machine image in .OVA format.

Download the virtual appliance image from the Splunk Phantom Community site on the Products page.

For evaluation or test environments, use a hypervisor or virtual machine management application such as VMware Fusion®, VMware Fusion Pro®, VMware Workstation Player®, VMware Workstation Pro®, or Oracle® VirtualBox.

For production environments, use VMware ESXi™ or VMware vSphere® version 5 or higher.

Install Splunk Phantom with VMware vSphere ESXi or VMware vSphere

These instructions might not be an exact match for the way your VMware vSphere or ESXi products configured. Consult your vSphere administrator or the documentation on the VMware website for more options.

You can use thin provisioning and install VMware Tools with Splunk Phantom.

  1. Log in to the correct vSphere or vCenter asset.
  2. From the File menu, select Deploy OVF Template.
  3. Click Browse to locate the downloaded OVA file.
  4. Click Next.
  5. Fill out the remaining settings options. Consult the VMware documentation on the VMware website or your VMware administrator.
  6. Click Finish.

Install Splunk Phantom with VMware Fusion® or VMware Fusion Pro®

For more detailed information on installing virtual machine images, consult the VMware Fusion or VMware Fusion Pro documentation.

  1. Open VMware Fusion or VMware Fusion Pro.
  2. From the File menu, select New.
  3. Click More options.
  4. Click Import an existing virtual machine.
  5. Click Choose File. Navigate to the Splunk Phantom OVA file.
  6. Click Open.
  7. Follow the remaining prompts to launch the virtual appliance.

Install Splunk Phantom with VMware Workstation Pro®

For more detailed information on installing virtual machine images, consult the VMware Workstation Pro documentation.

  1. Open VMware Workstation Pro.
  2. Click Open a Virtual Machine.
  3. Navigate to the Splunk Phantom OVA file.
  4. Click Open.
  5. Type a name and storage path for the virtual appliance.
  6. Click Import.
  7. Click Power on this virtual machine.

Install Splunk Phantom with VMware Workstation Player®

For more detailed information on installing virtual machine images, consult the VMware Workstation Player documentation.

  1. Open VMware Workstation Player.
  2. Click Open a Virtual Machine.
  3. Navigate to the Splunk Phantom OVA file.
  4. Click Open.
  5. Type a name and storage path for the virtual appliance.
  6. Click Import.
  7. Click Play virtual machine.

If you are prompted to connect additional devices, such as sound cards or USB ports to the virtual machine, decline. These devices are not required to run Splunk Phantom.

Install Splunk Phantom with Oracle® VirtualBox

For more detailed information on using Oracle VirtualBox to run virtual machine images, consult the VirtualBox end-user documentation on VirtualBox.org.

  1. Start Oracle VirtualBox.
  2. From the File menu, select Import Appliance.
  3. Select the folder icon to navigate to the Splunk Phantom OVA.
  4. Click Open.
  5. Click Continue.
  6. Click base_vm_centos_7.
  7. Click Start.

Complete the Splunk Phantom OVA install

These steps must be completed after the Splunk Phantom virtual appliance has been installed in your virtual machine manager.

At first boot, Splunk Phantom does several actions automatically:

  • Display a splash screen.
  • Generate a self-signed SSL certificate.
  • Prompt you to set the root and user account password.
  • Display a configuration menu.

Set operating system passwords

You must set a password. This password is set for both the virtual appliance's operating system user accounts root and user.

Remote SSH is disabled for the root user. The account user has sudo permissions. Use that account to administer the operating system.

  1. Type a password. Save this password somewhere safe.
  2. Type the password a second time to confirm it.

Once the password has been set, the configuration menu appears.

Assign an IP address to the virtual appliance

The Splunk Phantom virtual appliance is a server. It requires a static IP address for production environments. You can use DHCP for a test environment.

You can navigate the menu using keyboard arrow keys or the tab key to cycle through options.

  1. From the menu, select Configure Network.
  2. Click OK.
  3. Select Static to configure a static IP address for Splunk Phantom.
  4. Click OK.
  5. Type the IP address, netmask, gateway, nameserver 1, and nameserver 2.
  6. Click OK.

Next step: log in to verify the installation

You can log in to the Splunk Phantom web interface after the setup script completes to configure user accounts and additional settings. See Log in to the Splunk Phantom web interface.

Last modified on 07 December, 2020
Install Splunk Phantom using the Amazon Marketplace Image   Install Splunk Phantom to an existing server with RPM

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters