New ports open in Splunk 6, how are they utilized?

pkhalsa · ‎06-11-2015

At the "About upgrading to 6.2 - READ THIS FIRST" page, it states:
"This opens two network ports by default on the local machine: 8191 (for KV Store) and 8065 (for Appserver.) "

I want to upgrade my Splunk 5 search head to Splunk 6 today and upgrade all my indexers next week. In the meantime, I wanted to know if the indexers and search head will be communicating on these new ports? I assume so, but this statement isn't so explicit. When it says the ports are opened "on the local machine," it's not clear who the local machine will be communicating with when the new ports are opened.
Thanks.

malmoore · ‎06-11-2015

The new network ports for Splunk Enterprise 6.2 are open for connections to the local instance. This means that other instances (such as search head cluster members, indexer cluster members, etc.) that use App Key Value Store (port 8191) and Appserver (8065) use these ports to handle those specific operations. If you block those ports, that communication can't happen.

Jrubalcaba · ‎09-12-2016

Are these ports inbound or outbound?

malmoore · ‎09-13-2016

They are inbound, meaning that the Splunk process listens for connections from other hosts on these ports.

pkhalsa · ‎06-11-2015

Thanks. Will App Key Value Store and Appserver be turned on automatically when I upgrade? Are they essential for Splunk 6 to operate? Otherwise I'm not sure I necessarily need to open up those ports.

malmoore · ‎06-11-2015

Yes, both will be turned on when you upgrade. You should determine whether or not you need to use both features before disabling them. A number of apps use App Key Value a Store, for example.

New ports open in Splunk 6, how are they utilized?

Thanks for the Memories! Splunk University, .conf24, and Community Connections

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...