Splunk Enterprise installation does not details about which ports to open?




I'm following the steps here:

After installing and starting the service, I'm of course unable to access port 8000 to access the web interface because the system firewall is blocking connections. Besides port 8000, what other ports should I open through the firewall and why isn't this documented on the above page?

If anyone has a link to splunk documentation about the ports used, please let me know. I've seen lots of splunk community answers showing different ports, but others say they are user-defined. Like port 9997 for the forwarder to send data to the splunk server... I haven't configured that yet (it wasn't in the above documentation).

I see that my splunk server is currently listening on ports 8000, 8089, and 8191, according to the output of "sudo ss -tunlp"

tcp LISTEN 0 128* users:(("splunkd",pid=1806,fd=4))
tcp LISTEN 0 128* users:(("mongod",pid=2285,fd=9))
tcp LISTEN 0 128* users:(("splunkd",pid=1806,fd=100))

I tried opening a support case, but apparently I can't do that either. I'm really not sure where to ask this question, or who to ask in order to get the installation documentation updated.

If I should post this somewhere else, please let me know.

Thank you,


Labels (1)
0 Karma


Thank you! I've added just port 8000 for now, since it seems like everything else will be added later and configured separately. It doesn't seem like anything else is immediately needed. But I ran into the next undocumented problem right away: my browser, Chrome, enforces https (I can't even go to http://myhost:8000) and apparently splunk doesn't use https? I'm getting "ERR_SSL_PROTOCOL_ERROR". But I can't find any documentation about how to set up SSL (ideally a self-signed certificate to start, and then import a signed certificate at a later date).

Thanks for the tip about leaving feedback about the documentation.

For other users: I didn't notice before, but there is a "Was this topic useful?" link at the bottom of the documentation page where you can submit an email address and free-form feedback. I'm doing this now.

0 Karma


Using SSL for the web interface is documented, but can be tricky to find.  Just set enableSplunkWebSSL = true in $SPLUNK_HOME/etc/system/local/web.conf.  See for details.

If you don't have a file called $SPLUNK_HOME/etc/system/local/web.conf (which you may not on a new installation), then create it and copy the lines from the docs into the file.

Restart Splunk for the changes to take effect.

If this reply helps you, Karma would be appreciated.


This is where Splunk documentation is found to be wanting.  One reason may be to avoid confusion since there are many possible ports Splunk could use, but very few necessary to get started.  And, as you've learned, they're all configurable so the documentation would only be a guideline.

See this answer for the basics.

Submit feedback on the documentation to let Splunk know you couldn't find the information you needed.

Here are some other ports I've collected over time.




Indexer replication






App Key Value Store


SHC replication


Receive forwarded data

If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

Thought Leaders are Validating Your Hard Work and Training Rigor

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...

.conf23 Registration is Now Open!

Time to toss the .conf-etti 🎉 —  .conf23 registration is open!   Join us in Las Vegas July 17-20 for ...