Splunk Enterprise installation does not details about which ports to open?




I'm following the steps here:

After installing and starting the service, I'm of course unable to access port 8000 to access the web interface because the system firewall is blocking connections. Besides port 8000, what other ports should I open through the firewall and why isn't this documented on the above page?

If anyone has a link to splunk documentation about the ports used, please let me know. I've seen lots of splunk community answers showing different ports, but others say they are user-defined. Like port 9997 for the forwarder to send data to the splunk server... I haven't configured that yet (it wasn't in the above documentation).

I see that my splunk server is currently listening on ports 8000, 8089, and 8191, according to the output of "sudo ss -tunlp"

tcp LISTEN 0 128* users:(("splunkd",pid=1806,fd=4))
tcp LISTEN 0 128* users:(("mongod",pid=2285,fd=9))
tcp LISTEN 0 128* users:(("splunkd",pid=1806,fd=100))

I tried opening a support case, but apparently I can't do that either. I'm really not sure where to ask this question, or who to ask in order to get the installation documentation updated.

If I should post this somewhere else, please let me know.

Thank you,


Labels (1)
0 Karma


Thank you! I've added just port 8000 for now, since it seems like everything else will be added later and configured separately. It doesn't seem like anything else is immediately needed. But I ran into the next undocumented problem right away: my browser, Chrome, enforces https (I can't even go to http://myhost:8000) and apparently splunk doesn't use https? I'm getting "ERR_SSL_PROTOCOL_ERROR". But I can't find any documentation about how to set up SSL (ideally a self-signed certificate to start, and then import a signed certificate at a later date).

Thanks for the tip about leaving feedback about the documentation.

For other users: I didn't notice before, but there is a "Was this topic useful?" link at the bottom of the documentation page where you can submit an email address and free-form feedback. I'm doing this now.

0 Karma


Using SSL for the web interface is documented, but can be tricky to find.  Just set enableSplunkWebSSL = true in $SPLUNK_HOME/etc/system/local/web.conf.  See for details.

If you don't have a file called $SPLUNK_HOME/etc/system/local/web.conf (which you may not on a new installation), then create it and copy the lines from the docs into the file.

Restart Splunk for the changes to take effect.

If this reply helps you, Karma would be appreciated.


This is where Splunk documentation is found to be wanting.  One reason may be to avoid confusion since there are many possible ports Splunk could use, but very few necessary to get started.  And, as you've learned, they're all configurable so the documentation would only be a guideline.

See this answer for the basics.

Submit feedback on the documentation to let Splunk know you couldn't find the information you needed.

Here are some other ports I've collected over time.




Indexer replication






App Key Value Store


SHC replication


Receive forwarded data

If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

.conf23 Registration is Now Open!

Time to toss the .conf-etti 🎉 —  .conf23 registration is open!   Join us in Las Vegas July 17-20 for ...

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Attention everyone! We have exciting news to share! We are recruiting new members for the Mission Possible: ...

Unify Your SecOps with Splunk Mission Control

In today’s post, I'm excited to share some recent Splunk Mission Control innovations. With Splunk Mission ...