Solved: Re: What are the ports that I need to open? - Page 2

antoaravinth · ‎09-17-2012

Hi, for Splunk to work properly, what are the ports that I need to open?

Can anyone specify the inbound ports and outbound ports?

mikelanghorst · ‎09-17-2012

defaults are
9997 for forwarders to the Splunk indexer.
8000 for clients to the Splunk Search page
8089 for splunkd (also used by deployment server).

All of these can be changed if desired.

View solution in original post

steven_swor · ‎02-02-2015

Wow. Nicely done. This is so hard to find in the official documentation.

I would also suggest adding flows on port 9997 from the search heads, deployment server, license server, and cluster master to the indexers, with a footnote that this is an optional flow used for forwarding Splunk's internal indexes (a recommended best practice).

bandit · ‎11-19-2017

@steven_swor I've added your recommendation.

tross33 · ‎03-09-2015

Kudos. This is very helpful Rob.

bandit · ‎03-24-2015

I should get around to updating soon with the feedback I've received.

hsesterhenn_spl · ‎04-20-2015

And mark which connections are using SSL bei default (which have to be switched on manually...)

Great picture!

Thank you very much...

Holger

yannK · ‎01-15-2014

clap clap clap.

hokie1999 · ‎02-25-2013

BTW, on my forwarders, using tcpdump, I never see port 8089 used. I do see the forwarder listening on port 8089, just no data flowing. Seems odd.

mikelanghorst · ‎02-25-2013

The communication on port 8089 will only be if you've setup the deployment server.

hokie1999 · ‎02-25-2013

On my forwarders, I see bi-directional data flowing on port 9997 between the forwarders and the indexers (using tcpdump src port 9997 and tcpdump dst port 9997)

hokie1999 · ‎02-25-2013

From splunk indexer 1:

tcpdump src port 9997

16:03:15.882512 IP ddcsplunkindex01.ddc.verizon.com.palace-6 > 152.190.138.xxx.40612: Flags [P.], seq 114:171, ack 3058, win 6767, options [nop,nop,TS val 511776904 ecr 342512613], length 57

mikelanghorst · ‎02-25-2013

Splunk will only use src port 9997 as replies (src ports are usually higher numbers). I suspect you're reading this data incorrectly. Unless you've set your indexers to output data to the forwarders, there's no reason for the indexers to initiate communication. If they were, the src ports would be higher random numbered ports.

andyfry_nec · ‎10-18-2012

Hi,

I have similar questions, but I need a bit more detail about direction.

Is the splunk forwarder port 9997 tcp/udp from agent to indexer ?
Is the splunk management port 8089 tcp only and from indexer/deployment server to agent or bidirectional?

Cheers

Andy

yannK · ‎02-25-2013

you can add :
port 8089 for the license-master (from license-slave to license-master)
port XXXX for the replication cluster master, and slaves.

and any other ports open to monitor tcp/udp.

mikelanghorst · ‎10-18-2012

8089 for the deployment server is only needed from the client to the deployment server. Client being indexer, UF, etc.
9997 from the forwarder to the indexer. No connection is needed back from the indexers.
8089 is also used from a Search Head to your indexers. Again only single direction.

mikelanghorst · ‎09-17-2012

defaults are
9997 for forwarders to the Splunk indexer.
8000 for clients to the Splunk Search page
8089 for splunkd (also used by deployment server).

All of these can be changed if desired.

bohanlon_splunk · ‎09-21-2016

I downvoted this post because port listing is at best incomplete and another post better answers the question.

saurabh_tek · ‎01-13-2017

KV store port - 8191
Indexer Replication port - 8080
Network port - 514

you may upvoat this now 🙂 @bohanlon @mikelanghorst

Steve_G_ · ‎11-10-2014

9997 is not a default; just a convention. You need to set it explicitly on the receiving instance (indexer).

DEHIOBU · ‎05-21-2016

Awesome couldn't be more clearer than that.

What are the ports that I need to open?

other

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation