9997 for forwarders to the Splunk indexer.
8000 for clients to the Splunk Search page
8089 for splunkd (also used by deployment server).
All of these can be changed if desired.
The Splunk Documentation has a page that discusses which ports need to be opened, and has diagrams for both standalone and distributed deployments:
Components and their relationship with the network - in the Inherited Deployments Manual
Nice use of colors. One change you may want to review is the direction on the deployer arrows. My understanding is that clients do a pull form a Deployment Server vs the Deployer initiating a push to search peers in a cluster.
Is there an updated version of this visio for clustered search heads and indexers?
I've taken the liberty of updating the diagram slightly to reflect both changes in code since 6.2 and recommendations between this and one other post.
JPG format: https://drive.google.com/open?id=0B3PXaVtuNWbnMzJ6bTlkcXRmMFE
Visio format: https://drive.google.com/open?id=0B3PXaVtuNWbnRGtyM2phX2tWQ3M
Thanks @rob_jordan for the great effort and for sharing!
Also note that for Search Head Clustering there is a new replication port that you can pick, e.g. 8181. Also with SHC you need the KV store port (by default, 8191) must be available to all other members. You can use the CLI command splunk show kvstore-port to identify the port number.
The replication port must be available to all other members.
Since splunk 6.2 also port 8191 is used for the kvstore.
It seems many are confused about port required from UFs to a HF. Which is 9997 too i.e.
UFs ---9997---> HF --- 9997---> Indexers
UFs, Indexers, SHs ---8089 ---> DS
Many uses HF & DS as same server.
This is a diagram of Splunk components and network ports that are commonly used in a Splunk Enterprise environment. Firewall rules often need to be updated to allow communication on ports 8000, 8089, 9997, 514 and others.
Source files available here: http://downloads.jordan2000.com/splunk/
Many thanks for sharing. this is very useful, clear.
Little typo there on the MANAGEMENT TIER.
Does anybody have a version of this made specifically for opening firewall ports between an on-premise installation and splunkcloud.com?
This is excellent. Very helpful.
I downvoted this post because for analysis
Amazing, exactly what I needed
We're working on getting this or something like this added to the main documentation. We'll keep you posted on where and when (soon!)
Thank you for this diagram, kind sir.
@rob_jordan : Your picture speaks 100000k words 🙂 very helpful
Wow. Nicely done. This is so hard to find in the official documentation.
I would also suggest adding flows on port 9997 from the search heads, deployment server, license server, and cluster master to the indexers, with a footnote that this is an optional flow used for forwarding Splunk's internal indexes (a recommended best practice).
@steven_swor I've added your recommendation.