Splunk® Phantom (Legacy)

Install and Upgrade Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

Create a Splunk Phantom cluster from an RPM or TAR file installation

Build a cluster, putting each of the services on its own server or group of servers to serve multiple cluster nodes of Splunk Phantom.

Number Task Description
1 Create the HAProxy server. Use the HAProxy server to be a load balancer for the Splunk Phantom nodes in your cluster. See Set up a load balancer with an HAProxy server.
2 Create the PostgreSQL server or cluster. Establish a PostgreSQL database server or cluster to store Splunk Phantom information. See Set up an external PostreSQL server.
3 Create the file shares server. Splunk Phantom will store all its shared files on the prepared GlusterFS server. You can use NFS or other network file system. Instructions for that are not included in this document. See Set up external file shares using GlusterFS.
4 Install Splunk Enterprise. Splunk Phantom will use Splunk Enterprise for searches and collect data for indexing using the HTTP Event Collector. See Set up Splunk Enterprise.
5 Install Splunk Phantom cluster nodes.
  1. Install Splunk Phantom using the RPM for privileged installs or tar file method for unprivileged installs. Do this once for each node you need in your cluster. See Install Splunk Phantom using RPM or Install Splunk Phantom as an unprivileged user.
  2. Make the first node with make_cluster_node.pyc. See Run make_cluster_node.pyc.
  3. Make additional nodes.
Last modified on 03 April, 2020
Create a Splunk Phantom Cluster from an OVA installation   Create a Splunk Phantom cluster using an unprivileged installation

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters