Splunk SOAR
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

About to install Splunk Phantom Community Edition

clopmz
Explorer
‎02-25-2020 02:57 AM

Good morning,

I woud like to test Splunk Phantom Community Edition in my home lab. When I try to install it following the documentation, the following error appears:

About to proceed with Phantom install
Do you wish to proceed [y/N]
y
sed: can't read /opt/phantom/bin/stop_phantom.sh: No such file or directory
Enter username: admin
Enter password: ************
Loaded plugins: product-id, search-disabled-repos, subscription-manager
Cleaning repos: alternatives-phantom phantom-apps phantom-base phantom-product
: rhel-7-server-extras-rpms rhel-7-server-optional-rpms
: rhel-7-server-rh-common-rpms rhel-7-server-rpms
: rhel-7-server-supplementary-rpms rhel-server-rhscl-7-rpms
Updating phantom repo package

Error updating Phantom Repo package

https://***@repo.phantom.us/phantom/4.8/product/x86_64/repodata/repomd.xml: [Errno 14] HTTPS Error 401 - Unauthorized
Trying other mirror.

One of the configured repositories failed (Phantom product package),
and yum doesn't have enough cached data to continue. At this point the only
safe thing yum can do is fail. There are a few ways to work "fix" this:

 1. Contact the upstream for the repository and get them to fix the problem.

 2. Reconfigure the baseurl/etc. for the repository, to point to a working
    upstream. This is most often useful if you are using a newer
    distribution release than is supported by the repository (and the
    packages for the previous distribution release still work).

 3. Run the command with the repository temporarily disabled
        yum --disablerepo=phantom-product ...

 4. Disable the repository permanently, so yum won't use it by default. Yum
    will then just ignore the repository until you permanently enable it
    again or use --enablerepo for temporary usage:

        yum-config-manager --disable phantom-product
    or
        subscription-manager repos --disable=phantom-product

 5. Configure the failing repository to be skipped, if it is unavailable.
    Note that yum will try to contact the repo. when it runs most commands,
    so will have to try and fail each time (and thus. yum will be be much
    slower). If it is a very temporary problem though, this is often a nice
    compromise:

        yum-config-manager --save --setopt=phantom-product.skip_if_unavailable=true

failure: repodata/repomd.xml from phantom-product: [Errno 256] No more mirrors to try.
https://***@repo.phantom.us/phantom/4.8/product/x86_64/repodata/repomd.xml: [Errno 14] HTTPS Error 401 - Unauthorized

Is it not possible to install Splunk Phantom from RPMs packages? Is it only available via OVA for Community Edition?

Many thanks for your help.

Labels (2)
Labels
Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

cblumer_splunk
Splunk Employee
Splunk Employee
‎03-04-2020 12:51 PM

The Community Edition of Splunk>Phantom can only be installed via the OVA available on the my.phantom.us portal.

RPM-based installs are supported only for POV/POC or Production licenses.

View solution in original post

Reply
Solved! Jump to solution

mpolisky_splunk
Splunk Employee
Splunk Employee
‎04-18-2020 10:33 AM

This error occurs event when a production license is installed:

Error updating Phantom Repo package

https://***@repo.phantom.us/phantom/4.8/product/x86_64/repodata/repomd.xml: [Errno 14] HTTPS Error 401 - Unauthorized
Trying other mirror.

What user/password is used to access this repo link? The my.phantom.us login/pass?

0 Karma
Reply
Solved! Jump to solution

stiansplunkuser
Observer
‎07-09-2020 11:47 PM

Community users can´t download or install using RPM. So we have to use the OVA instead. Sadly this also affects the splunk attack range maintained by Splunk. 

Link to similar topic: https://community.splunk.com/t5/Splunk-Phantom/About-to-install-Splunk-Phantom-Community-Edition/td-...

0 Karma
Reply
Solved! Jump to solution
Solution

cblumer_splunk
Splunk Employee
Splunk Employee
‎03-04-2020 12:51 PM

The Community Edition of Splunk>Phantom can only be installed via the OVA available on the my.phantom.us portal.

RPM-based installs are supported only for POV/POC or Production licenses.

Reply
Solved! Jump to solution

sam_splunk
Splunk Employee
Splunk Employee
‎03-03-2020 02:45 PM

You can see here: https://docs.splunk.com/Documentation/Phantom/4.8/Install/InstallRPM :

Provide your Splunk Phantom community credentials when prompted for a username and password.

Basic community accounts cannot download or install from RPM, that has to be enabled by a sales engineering within Splunk. Community edition is essentially the OVA.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...