9997 for forwarders to the Splunk indexer.
8000 for clients to the Splunk Search page
8089 for splunkd (also used by deployment server).
All of these can be changed if desired.
9997 is not a default; just a convention. You need to set it explicitly on the receiving instance (indexer).
I downvoted this post because port listing is at best incomplete and another post better answers the question.
KV store port - 8191
Indexer Replication port - 8080
Network port - 514
you may upvoat this now 🙂 @bohanlon @mikelanghorst
I have similar questions, but I need a bit more detail about direction.
Is the splunk forwarder port 9997 tcp/udp from agent to indexer ?
Is the splunk management port 8089 tcp only and from indexer/deployment server to agent or bidirectional?
8089 for the deployment server is only needed from the client to the deployment server. Client being indexer, UF, etc.
9997 from the forwarder to the indexer. No connection is needed back from the indexers.
8089 is also used from a Search Head to your indexers. Again only single direction.
you can add :
port 8089 for the license-master (from license-slave to license-master)
port XXXX for the replication cluster master, and slaves.
and any other ports open to monitor tcp/udp.
On my forwarders, I see bi-directional data flowing on port 9997 between the forwarders and the indexers (using tcpdump src port 9997 and tcpdump dst port 9997)