Splunk Enterprise installation does not details about which ports to open?




I'm following the steps here:

After installing and starting the service, I'm of course unable to access port 8000 to access the web interface because the system firewall is blocking connections. Besides port 8000, what other ports should I open through the firewall and why isn't this documented on the above page?

If anyone has a link to splunk documentation about the ports used, please let me know. I've seen lots of splunk community answers showing different ports, but others say they are user-defined. Like port 9997 for the forwarder to send data to the splunk server... I haven't configured that yet (it wasn't in the above documentation).

I see that my splunk server is currently listening on ports 8000, 8089, and 8191, according to the output of "sudo ss -tunlp"

tcp LISTEN 0 128* users:(("splunkd",pid=1806,fd=4))
tcp LISTEN 0 128* users:(("mongod",pid=2285,fd=9))
tcp LISTEN 0 128* users:(("splunkd",pid=1806,fd=100))

I tried opening a support case, but apparently I can't do that either. I'm really not sure where to ask this question, or who to ask in order to get the installation documentation updated.

If I should post this somewhere else, please let me know.

Thank you,


Labels (1)
0 Karma


Thank you! I've added just port 8000 for now, since it seems like everything else will be added later and configured separately. It doesn't seem like anything else is immediately needed. But I ran into the next undocumented problem right away: my browser, Chrome, enforces https (I can't even go to http://myhost:8000) and apparently splunk doesn't use https? I'm getting "ERR_SSL_PROTOCOL_ERROR". But I can't find any documentation about how to set up SSL (ideally a self-signed certificate to start, and then import a signed certificate at a later date).

Thanks for the tip about leaving feedback about the documentation.

For other users: I didn't notice before, but there is a "Was this topic useful?" link at the bottom of the documentation page where you can submit an email address and free-form feedback. I'm doing this now.

0 Karma


Using SSL for the web interface is documented, but can be tricky to find.  Just set enableSplunkWebSSL = true in $SPLUNK_HOME/etc/system/local/web.conf.  See for details.

If you don't have a file called $SPLUNK_HOME/etc/system/local/web.conf (which you may not on a new installation), then create it and copy the lines from the docs into the file.

Restart Splunk for the changes to take effect.

If this reply helps you, Karma would be appreciated.


This is where Splunk documentation is found to be wanting.  One reason may be to avoid confusion since there are many possible ports Splunk could use, but very few necessary to get started.  And, as you've learned, they're all configurable so the documentation would only be a guideline.

See this answer for the basics.

Submit feedback on the documentation to let Splunk know you couldn't find the information you needed.

Here are some other ports I've collected over time.




Indexer replication






App Key Value Store


SHC replication


Receive forwarded data

If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...