Splunk relies on various ports to facilitate communication between its components and enable data ingestion from external sources. Understanding the default ports used by Splunk is crucial for anyone working with the platform. In this article, we will explore the default ports used by Splunk and provide a detailed list for your reference. Whether you are setting up a new Splunk deployment, troubleshooting network issues, or configuring firewall rules, this guide will serve as a valuable resource to ensure your Splunk environment is properly configured and secure. So, let’s dive in and discover the world of Splunk default ports!
Tables on this page:
What is a Default Port?
A port is considered to be default when the software sets it automatically, when the community uses it as a default, and when admins cannot change the port. Essentially, these are all the possible ways to define a default port, even though they are all very different. For clarity in this guide, we will label them below:
- Default: In our definition, a default is when the port is set without the user specifying the port. For example, Splunk Web (on-prem) runs on port 8000 by default. The user does not choose it, but they can change it if they wish.
- Convention: These ports are used so often that they feel like default ports. The admin sets the port and can select any other port. The “Splunk Forwarding” port of 9997 is a great example. For Splunk Enterprise, it is not a default, yet almost every environment uses it.
- Default – Immutable: This is a caveat for default ports where the user cannot modify the port. We find these mostly in managed services such as Splunk Cloud.
What is a Port in Splunk?
In Splunk, ports are communication endpoints. When processes or applications exchange information over a network, they use a port to segment the data.
In this article, we are referring specifically to the Transmission Control Protocol (TCP) communications standard when we talk about ports as communication endpoints (unless we specifically refer to an alternative).
Splunk Enterprise - Default Ports
Splunk Enterprise is defined as on “on-premise” instance of Splunk. On-premise in this case could be a physical or virtual server in your companies data center or in your companies cloud provider, such as AWS or Azure.
| Splunk Enterprise Ports | Splunk Component | Type | Description |
|---|---|---|---|
| 514 | Syslog | Convention - Not Recommended | Syslog, TCP or UDP. Recommendation is to send Syslog to a Syslog Collector tool (Syslog-NG, rsyslog, etc) instead of to Splunk |
| 8000 | Web Interface | Default | Splunk Web (HTTP by Default) |
| 8080, 9887 | Indexers | Default | Indexer replication |
| 8081, 8181, 9887 | Search Heads | Default | SHC Replication |
| 8088 | HTTP Event Collector (HEC) | Default | Collects data sent to Splunk over HTTP |
| 8089 | Splunk | Default | Management port |
| 8089 | Indexers | Default | REST API Access |
| 8089 | Deployment Server | Default | Management port for Splunk deployment server. |
| 8089 | Search Heads | Default | Management port for Splunk search heads |
| 8191 | KVStore | Default | Internal and Replication |
| 9997 | Forwarders | Convention | Default forwarding port for sending data to indexers. |
| 9998 | Universal Forwarders and Indexers | Default | SSL communication between forwarders and indexers |
Splunk Cloud - Default Ports
Splunk Cloud delivers a fully managed service, empowering users to access and utilize its powerful data analytics capabilities. It provides the same benefits of Splunk Enterprise as a cloud-based service. Using Splunk Cloud Platform, you gain the functionality of Splunk Enterprise for collecting, searching, monitoring, reporting, and analyzing all of your data using a cloud service that is centrally and uniformly delivered by Splunk.
| Splunk Cloud Ports | Splunk Component | Type | Description |
|---|---|---|---|
| 443 | Client connectivity (SSL) | Default - Immutable | Web Connection. Mandatory SSL |
| 8088 | HTTP Event Collector (HEC) | Default | Collects data sent to Splunk over HTTPS |
| 8089 | Splunk Servers | Default - Immutable | Management, API Access |
| 9997 | Splunk Forwarders | Default - Immutable | Default forwarding port for sending data to indexers. |
Splunk Observability Cloud Open Telemetry Collector - Default Ports
Splunk Observability Cloud provides a comprehensive, unified platform for monitoring and troubleshooting modern applications and infrastructure. By leveraging metrics, traces, and logs, users can gain real-time visibility into the health and performance of their systems
| Splunk OTC Ports | Splunk OTC Usage | Type | Description |
|---|---|---|---|
| 4317, 4318 | Smart Agent Receiver | Default | OLTP Receiver - HTTP / gRPC communication between the OTLC and other components. |
| 6831, 6832, 14250, 14268 | Jaeger Receiver - Thrify and gRPC | Default | Receiving Jaeger spans over UDP |
| 6060 | HTTP Forwarder - Smart Agent | Default | Receives Smart Agent apiUrl data |
| 7276 | SAPM Trace receiver | Default | Receives traces from other collectors or SignalFx |
| 8006 | Fluent Forward Receiver | Default | Receiving telemetry data from Fluent Bit instances. |
| 8888 | Internal Prometheus | Default | Internal Prometheus metrics |
| 9080 | Smart Agent Receiver - SignalFxForwarder | Deprecated | Previously used for SignalFX Forwarder monitor |
| 9411 | Zipkin Receiver | Default | Used for receiving Zipkin spans over HTTP or gRPC. |
| 9943 | SignalFx Receiver | Default | SignalFx receiver - metrics, logs and events |
| 13133 | Health Check Extension | Default | Collector status reporting |
| 55679 | ZPages extension | Default | Insights into the health and performance of the OTC. |
Splunk SOAR Clustered Deployment - Default Ports
Splunk SOAR for Clustered Deployments delivers a scalable and resilient solution for security orchestration, automation, and response. By distributing workloads across multiple nodes, users can ensure high availability and handle increased throughput demands. Moreover, they can automate complex security workflows, streamline incident response processes, and enhance collaboration among security teams. The list below may not be exhaustive based on optional connectivity to external systems.
| Splunk SOAR Ports | Splunk Component | Type | Description |
|---|---|---|---|
| 22 | SSH - Cluster admin | Default | System administration |
| 80 | HTTP Web | Default | HTTP (redirected to HTTPS) |
| 123 | Chronyd Service | Default / Required | System clock synchronization |
| 443 | HTTPS Web | Default / Required | Installation and upgrades. |
| 443 | Splunk Mobile | Convention | HTTPS (unprivileged install is changeable) |
| 443 | HTTPS Web | Default | Client web interface |
| 443 | HTTPS REST API | Default | REST API port |
| 4369 | RabbitMQ | Default | RabbitMQ port mapper |
| 5100 – 5120 | Daemon inter-process ports | Default | Daemon inter-process communication. |
| 5671 | RabbitMQ | Default | RabbitMQ service |
| 8300, 8301, 8302 | Consol RPC | Default | cluster nodes must be able to communication. |
| 8443 | HTTPS Web | Convention | Client web interface |
| 8443 | HTTPS REST API | Convention | REST API port |
| 8888 | WebSocket server | Default | Internal communications between the WebSocket server and other components. |
| 9999 | HTTPS Web | Default | HTTPS default when using AMI-based deployment |
| 15672 | RabbitMQ | Default | RabbitMQ admin UI - Optional, disabled by default. |
| 25672 | RabbitMQ | Default | RabbitMQ internode communications |
Disclaimer: The ports above are current as of May 2024. Most of these ports have been static through the years but may change to support new services and offerings. It is essential to regularly review the Splunk documentation and consult with your organization’s Splunk Administrator for the most up-to-date information on network ports and their usage in your environment.
Need Flexible Resources for Splunk Help?
We’ve got you covered! With Kinney Group’s Atlas Expertise on Demand (EOD) offering you don’t have to master Splunk by yourself in order to get the most value out of it. Small, day-to-day optimizations of your environment can make all the difference in how you understand and use the data in your Splunk environment to manage all the work on your plate.
Along with our EOD offering, Kinney Group also provides a software platform called Atlas. Atlas is the only platform running on Splunk, that is designed to help you keep your Splunk environment running at its best. As a starting point, the Atlas Assessment can quickly provide valuable insight into how your Splunk environment is performing. It can also identify opportunities for improvement. Atlas Assessment is free and available for download from Splunkbase. Click here to learn more about Atlas!
