defaults are
9997 for forwarders to the Splunk indexer.
8000 for clients to the Splunk Search page
8089 for splunkd (also used by deployment server).
All of these can be changed if desired.
Wow. Nicely done. This is so hard to find in the official documentation.
I would also suggest adding flows on port 9997 from the search heads, deployment server, license server, and cluster master to the indexers, with a footnote that this is an optional flow used for forwarding Splunk's internal indexes (a recommended best practice).
@steven_swor I've added your recommendation.
Kudos. This is very helpful Rob.
I should get around to updating soon with the feedback I've received.
And mark which connections are using SSL bei default (which have to be switched on manually...)
Great picture!
Thank you very much...
Holger
clap clap clap.
BTW, on my forwarders, using tcpdump, I never see port 8089 used. I do see the forwarder listening on port 8089, just no data flowing. Seems odd.
The communication on port 8089 will only be if you've setup the deployment server.
On my forwarders, I see bi-directional data flowing on port 9997 between the forwarders and the indexers (using tcpdump src port 9997 and tcpdump dst port 9997)
From splunk indexer 1:
tcpdump src port 9997
16:03:15.882512 IP ddcsplunkindex01.ddc.verizon.com.palace-6 > 152.190.138.xxx.40612: Flags [P.], seq 114:171, ack 3058, win 6767, options [nop,nop,TS val 511776904 ecr 342512613], length 57
Splunk will only use src port 9997 as replies (src ports are usually higher numbers). I suspect you're reading this data incorrectly. Unless you've set your indexers to output data to the forwarders, there's no reason for the indexers to initiate communication. If they were, the src ports would be higher random numbered ports.
Hi,
I have similar questions, but I need a bit more detail about direction.
Is the splunk forwarder port 9997 tcp/udp from agent to indexer ?
Is the splunk management port 8089 tcp only and from indexer/deployment server to agent or bidirectional?
Cheers
Andy
you can add :
port 8089 for the license-master (from license-slave to license-master)
port XXXX for the replication cluster master, and slaves.
and any other ports open to monitor tcp/udp.
8089 for the deployment server is only needed from the client to the deployment server. Client being indexer, UF, etc.
9997 from the forwarder to the indexer. No connection is needed back from the indexers.
8089 is also used from a Search Head to your indexers. Again only single direction.
defaults are
9997 for forwarders to the Splunk indexer.
8000 for clients to the Splunk Search page
8089 for splunkd (also used by deployment server).
All of these can be changed if desired.
I downvoted this post because port listing is at best incomplete and another post better answers the question.
KV store port - 8191
Indexer Replication port - 8080
Network port - 514
you may upvoat this now 🙂 @bohanlon @mikelanghorst
9997 is not a default; just a convention. You need to set it explicitly on the receiving instance (indexer).
Awesome couldn't be more clearer than that.