Overview
The Splunk Add-on for Splunk Phantom is required to use the Content pack for Monitoring Phantom as a Service. The add-on allows ITSI and Splunk Enterprise to get various Splunk Phantom log data with commonly used field names.
Product Compatibility Matrix
Verify that you have a support combination of products before installing the Splunk Add-on for Splunk Phantom.
Review the supported product combination in a Splunk Enterprise environment.
| Splunk Add-on for Splunk Phantom Version | Splunk Enterprise Version | Splunk Phantom Version | Splunk ITSI Version |
|---|---|---|---|
| 1.0.2 | 8.1..x | 4.10.x | 4.4, 4.x later than 4.4 |
| 8.0.6, 8.0.x later than 8.0.6 | 4.9.x, 4.10.x | 4.4, 4.x later than 4.4 | |
| 7.3.x | 4.9.x, 4.10.x | 4.4, 4.x later than 4.4 | |
| 1.0.1 | 7.3.x | 4.6, 4.6.x | 4.3, 4.3.x |
Prepare to install the Splunk Add-on for Splunk Phantom
Perform the following tasks before you install the Splunk Add-on for Splunk Phantom.
Install a universal forwarder on each Splunk Phantom server
The universal forwarder collects data from a data source or another forwarder and sends it to a forwarder or a Splunk deployment. You must install a universal forwarder on each Phantom server you plan to monitor.
- Install a universal forwarder on each Splunk Phantom server you plan to monitor. For instructions, see Install the universal forwarder software.
Because each Phantom server already includes an embedded copy of Splunk Enterprise, the universal forwarder detects a port conflict during the initial startup. This can adversely affect automated installation scripts. When you install manually, you're prompted to enter an alternate port. The alternate port is stored in
$SPLUNK_HOME/etc/system/local/web.conf.Checking prerequisites... Checking mgmt port [8089]: not available ERROR: mgmt port [8089] - port is already bound. Splunk needs to use this port. Would you like to change ports? [y/n]: y Enter a new mgmt port: 8189 Setting mgmt to port: 8189 The server's splunkd port has been changed. Checking mgmt port [8189]: open - Configure forwarding on each Phantom server with
outputs.conf. For more information, see Configure forwarding with outputs.conf.
See About forwarding and receiving in the Splunk Enterprise Forwarding Data manual to learn how to install and configure universal forwarders.
Configure the Splunk Phantom indexes
You must create Splunk indexes for Splunk Phantom data before the universal forwarder can send data to them.
On your Indexer tier, create an index called phantom. For more information about creating indexes, see Create custom indexes in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.
Install the Splunk Add-on for Splunk Phantom
Install the Splunk Add-on for Phantom to the following locations:
- The Splunk IT Service Intelligence (ITSI) search head, if you are using ITSI
- Indexers
- Universal forwarders that you installed in Step 1.
- Any heavy forwarders that the Splunk Phantom server's universal forwarders might send data to
This documentation applies to the following versions of Splunk® Add-on for Splunk Phantom: 1.0.2
Download manual
Feedback submitted, thanks!