Getting Data In

What are the ports that I need to open?

antoaravinth
Engager

Hi, for Splunk to work properly, what are the ports that I need to open?

Can anyone specify the inbound ports and outbound ports?

Labels (1)
Tags (3)
1 Solution

mikelanghorst
Motivator

defaults are
9997 for forwarders to the Splunk indexer.
8000 for clients to the Splunk Search page
8089 for splunkd (also used by deployment server).

All of these can be changed if desired.

View solution in original post

steven_swor
Path Finder

Wow. Nicely done. This is so hard to find in the official documentation.

I would also suggest adding flows on port 9997 from the search heads, deployment server, license server, and cluster master to the indexers, with a footnote that this is an optional flow used for forwarding Splunk's internal indexes (a recommended best practice).

bandit
Motivator

@steven_swor I've added your recommendation.

0 Karma

tross33
Explorer

Kudos. This is very helpful Rob.

0 Karma

bandit
Motivator

I should get around to updating soon with the feedback I've received.

0 Karma

hsesterhenn_spl
Splunk Employee
Splunk Employee

And mark which connections are using SSL bei default (which have to be switched on manually...)

Great picture!

Thank you very much...

Holger

0 Karma

yannK
Splunk Employee
Splunk Employee

clap clap clap.

hokie1999
Explorer

BTW, on my forwarders, using tcpdump, I never see port 8089 used. I do see the forwarder listening on port 8089, just no data flowing. Seems odd.

mikelanghorst
Motivator

The communication on port 8089 will only be if you've setup the deployment server.

hokie1999
Explorer

On my forwarders, I see bi-directional data flowing on port 9997 between the forwarders and the indexers (using tcpdump src port 9997 and tcpdump dst port 9997)

0 Karma

hokie1999
Explorer

From splunk indexer 1:

tcpdump src port 9997

16:03:15.882512 IP ddcsplunkindex01.ddc.verizon.com.palace-6 > 152.190.138.xxx.40612: Flags [P.], seq 114:171, ack 3058, win 6767, options [nop,nop,TS val 511776904 ecr 342512613], length 57

0 Karma

mikelanghorst
Motivator

Splunk will only use src port 9997 as replies (src ports are usually higher numbers). I suspect you're reading this data incorrectly. Unless you've set your indexers to output data to the forwarders, there's no reason for the indexers to initiate communication. If they were, the src ports would be higher random numbered ports.

andyfry_nec
Engager

Hi,

I have similar questions, but I need a bit more detail about direction.

Is the splunk forwarder port 9997 tcp/udp from agent to indexer ?
Is the splunk management port 8089 tcp only and from indexer/deployment server to agent or bidirectional?

Cheers

Andy

yannK
Splunk Employee
Splunk Employee

you can add :
port 8089 for the license-master (from license-slave to license-master)
port XXXX for the replication cluster master, and slaves.

and any other ports open to monitor tcp/udp.

0 Karma

mikelanghorst
Motivator

8089 for the deployment server is only needed from the client to the deployment server. Client being indexer, UF, etc.
9997 from the forwarder to the indexer. No connection is needed back from the indexers.
8089 is also used from a Search Head to your indexers. Again only single direction.

mikelanghorst
Motivator

defaults are
9997 for forwarders to the Splunk indexer.
8000 for clients to the Splunk Search page
8089 for splunkd (also used by deployment server).

All of these can be changed if desired.

bohanlon_splunk
Splunk Employee
Splunk Employee

I downvoted this post because port listing is at best incomplete and another post better answers the question.

0 Karma

saurabh_tek
Communicator

KV store port - 8191
Indexer Replication port - 8080
Network port - 514

you may upvoat this now 🙂 @bohanlon @mikelanghorst

Steve_G_
Splunk Employee
Splunk Employee

9997 is not a default; just a convention. You need to set it explicitly on the receiving instance (indexer).

DEHIOBU
Engager

Awesome couldn't be more clearer than that.

Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...