This is a fantastic diagram, thanks for posting!

I am super new to Splunk so please forgive the likely silly question but is all of the TCP 8089 communication within the Splunk components encrypted by default?

8089 is encrypted by default using unique self signed SSL certs created by a Splunk installation when it runs for the first time.

See enableSplunkdSSL and serverCert in server.conf

https://docs.splunk.com/Documentation/Splunk/7.0.2/Admin/Serverconf

Fun fact: You can regenerate these at any time with this command

/opt/splunk/bin/splunk createssl server-cert -n server -d /opt/splunk/etc/auth/ -l 2048 -c SplunkServerDefault

I've needed to do this recently for Splunk upgrades from 6.x to 7.x where an old expired cert caused comms failures between some Splunk components. Ideally the Splunk upgrade process should regenerate these certs if they are using defaults. I'm hopeful they do that in the future.

@rob_jordan: Is the source of this image available anywhere? There are a couple discrepancies that should be fixes (as mentioned in the comments), but its the best diagram I have seen.

@tmcneely I've updated the diagram. Source files are also here http://downloads.jordan2000.com/splunk

I note that this and the Splunk web GUI suggests port 8080 for indexer port replication.
http://imgur.com/6im8rti

However the CLI and conf documentation suggests to use port 9887.

http://docs.splunk.com/Documentation/Splunk/6.2.0/Indexer/Configurepeerswithserverconf
http://docs.splunk.com/Documentation/Splunk/6.2.0/Indexer/ConfigurepeerswithCLI

Granted both will work however which is the Splunk sanctioned port 8080 or 9887.

There's really no sanctioned port, as such. 9887 is just an example of a port that you can use for the purpose.

As the documentation states, "You can specify any available, unused port as the replication port. Do not re-use the management or receiving ports."

See http://docs.splunk.com/Documentation/Splunk/6.2.0/Indexer/Configurepeerswithserverconf

Great diagram. Is there an updated one to include Search Head Clustering? New ports required are 8191 for the KV store, and a replication port chosen at implementation time (I have seen 8989 used) for search head cluster members to replicate data.

@jbrodsky, I've updated to include search head clustering and kvstore.

Great job!!! I almost only see this information in tables.

Did you create this with MS Visio?

This is great.

For what it's worth, the cluster master / indexers communication is bidirectional (maybe double-headed arrow?), and port 9997 is primarily a tradition though I think the GUI provides that default. There's a support generated diagram somewhere that labells SSL-by-default differently from others, but that's synonymous with the default-port 8089 traffic.

Technically external apps can use REST API to any nodes in the system, but that's going to be only really useful for custom administration goals or custom troubleshooting goals typically. The search head is definitely the far most common target.

Why isn't a complete common network port diagram provided by Splunk in the Official Documentation instead of telling the responder all the tweaks he should be making to maintain his personal version?  Seems like standard info that would benefit the entire community by being officially documented by Splunk.  If there is an official one already out there, please point me to it, because I haven't found one.

Thanks. The other direction of communication for the Cluster Master would be due to the Cluster Master polling members of the cluster, correct? (That would be in addition to the members themselves checking in with the Cluster Master)