Skip to content
Configuration // Help // Splunk

Splunk Default Ports: A Comprehensive List

KGI Avatar
 

Written by: Kinney Group | Last Updated:

 
May 10, 2024
 
 
 

Originally Published:

 
May 10, 2024

Splunk relies on various ports to facilitate communication between its components and enable data ingestion from external sources. Understanding the default ports used by Splunk is crucial for anyone working with the platform. In this article, we will explore the default ports used by Splunk and provide a detailed list for your reference. Whether you are setting up a new Splunk deployment, troubleshooting network issues, or configuring firewall rules, this guide will serve as a valuable resource to ensure your Splunk environment is properly configured and secure. So, let’s dive in and discover the world of Splunk default ports!

What is a Default Port?

A port is considered to be default when the software sets it automatically, when the community uses it as a default, and when admins cannot change the port. Essentially, these are all the possible ways to define a default port, even though they are all very different. For clarity in this guide, we will label them below:

  • Default: In our definition, a default is when the port is set without the user specifying the port. For example, Splunk Web (on-prem) runs on port 8000 by default. The user does not choose it, but they can change it if they wish. 
  • Convention: These ports are used so often that they feel like default ports. The admin sets the port and can select any other port. The “Splunk Forwarding” port of 9997 is a great example. For Splunk Enterprise, it is not a default, yet almost every environment uses it. 
  • Default – Immutable: This is a caveat for default ports where the user cannot modify the port. We find these mostly in managed services such as Splunk Cloud.

What is a Port in Splunk?

In Splunk, ports are communication endpoints. When processes or applications exchange information over a network, they use a port to segment the data.

In this article, we are referring specifically to the Transmission Control Protocol (TCP) communications standard when we talk about ports as communication endpoints (unless we specifically refer to an alternative). 

Splunk Enterprise - Default Ports

Splunk Enterprise is defined as on “on-premise” instance of Splunk. On-premise in this case could be a physical or virtual server in your companies data center or in your companies cloud provider, such as AWS or Azure.

Splunk Enterprise PortsSplunk Component
TypeDescription
514SyslogConvention - Not RecommendedSyslog, TCP or UDP.
Recommendation is to send Syslog to a Syslog Collector tool (Syslog-NG, rsyslog, etc) instead of to Splunk
8000Web InterfaceDefaultSplunk Web (HTTP by Default)
8080, 9887IndexersDefaultIndexer replication
8081, 8181, 9887Search HeadsDefaultSHC Replication
8088HTTP Event Collector (HEC)DefaultCollects data sent to Splunk over HTTP
8089SplunkDefaultManagement port
8089IndexersDefaultREST API Access
8089Deployment ServerDefaultManagement port for Splunk deployment server.
8089Search HeadsDefaultManagement port for Splunk search heads
8191KVStoreDefaultInternal and Replication
9997ForwardersConventionDefault forwarding port for sending data to indexers.
9998Universal Forwarders and IndexersDefaultSSL communication between forwarders and indexers

Splunk Cloud - Default Ports

Splunk Cloud delivers a fully managed service, empowering users to access and utilize its powerful data analytics capabilities. It provides the same benefits of Splunk Enterprise as a cloud-based service. Using Splunk Cloud Platform, you gain the functionality of Splunk Enterprise for collecting, searching, monitoring, reporting, and analyzing all of your data using a cloud service that is centrally and uniformly delivered by Splunk.

Splunk Cloud PortsSplunk ComponentTypeDescription
443Client connectivity (SSL)Default - ImmutableWeb Connection. Mandatory SSL
8088HTTP Event Collector (HEC)DefaultCollects data sent to Splunk over HTTPS
8089Splunk ServersDefault - ImmutableManagement, API Access
9997Splunk ForwardersDefault - ImmutableDefault forwarding port for sending data to indexers.

Splunk Observability Cloud Open Telemetry Collector - Default Ports

Splunk Observability Cloud provides a comprehensive, unified platform for monitoring and troubleshooting modern applications and infrastructure. By leveraging metrics, traces, and logs, users can gain real-time visibility into the health and performance of their systems

Splunk OTC PortsSplunk OTC UsageTypeDescription
4317, 4318Smart Agent Receiver
DefaultOLTP Receiver - HTTP / gRPC communication between the OTLC and other components.
6831, 6832,
14250, 14268
Jaeger Receiver - Thrify and gRPCDefaultReceiving Jaeger spans over UDP
6060HTTP Forwarder - Smart AgentDefaultReceives Smart Agent apiUrl data
7276SAPM Trace receiverDefaultReceives traces from other collectors or SignalFx
8006Fluent Forward ReceiverDefaultReceiving telemetry data from Fluent Bit instances.
8888Internal PrometheusDefaultInternal Prometheus metrics
9080Smart Agent Receiver - SignalFxForwarderDeprecatedPreviously used for SignalFX Forwarder monitor
9411Zipkin ReceiverDefaultUsed for receiving Zipkin spans over HTTP or gRPC.
9943SignalFx ReceiverDefaultSignalFx receiver - metrics, logs and events
13133Health Check ExtensionDefaultCollector status reporting
55679ZPages extensionDefaultInsights into the health and performance of the OTC.

Splunk SOAR Clustered Deployment - Default Ports

Splunk SOAR for Clustered Deployments delivers a scalable and resilient solution for security orchestration, automation, and response. By distributing workloads across multiple nodes, users can ensure high availability and handle increased throughput demands. Moreover, they can automate complex security workflows, streamline incident response processes, and enhance collaboration among security teams. The list below may not be exhaustive based on optional connectivity to external systems.

Splunk SOAR PortsSplunk ComponentTypeDescription
22SSH - Cluster adminDefaultSystem administration
80HTTP WebDefaultHTTP (redirected to HTTPS)
123Chronyd ServiceDefault / RequiredSystem clock synchronization
443HTTPS WebDefault / RequiredInstallation and upgrades.
443Splunk MobileConventionHTTPS (unprivileged install is changeable)
443HTTPS WebDefaultClient web interface
443HTTPS REST APIDefaultREST API port
4369RabbitMQDefaultRabbitMQ port mapper
5100 – 5120Daemon inter-process portsDefaultDaemon inter-process communication.
5671RabbitMQDefaultRabbitMQ service
8300, 8301, 8302Consol RPCDefaultcluster nodes must be able to communication.
8443HTTPS WebConventionClient web interface
8443HTTPS REST APIConventionREST API port
8888WebSocket serverDefaultInternal communications between the WebSocket server and other components.
9999HTTPS WebDefaultHTTPS default when using AMI-based deployment
15672RabbitMQDefaultRabbitMQ admin UI - Optional, disabled by default.
25672RabbitMQDefaultRabbitMQ internode communications

Disclaimer: The ports above are current as of May 2024. Most of these ports have been static through the years but may change to support new services and offerings. It is essential to regularly review the Splunk documentation and consult with your organization’s Splunk Administrator for the most up-to-date information on network ports and their usage in your environment.

Need Flexible Resources for Splunk Help?

We’ve got you covered! With Kinney Group’s Atlas Expertise on Demand (EOD) offering you don’t have to master Splunk by yourself in order to get the most value out of it. Small, day-to-day optimizations of your environment can make all the difference in how you understand and use the data in your Splunk environment to manage all the work on your plate.

Along with our EOD offering, Kinney Group also provides a software platform called Atlas. Atlas is the only platform running on Splunk, that is designed to help you keep your Splunk environment running at its best. As a starting point, the Atlas Assessment can quickly provide valuable insight into how your Splunk environment is performing. It can also identify opportunities for improvement. Atlas Assessment is free and available for download from Splunkbase. Click here to learn more about Atlas!

Helpful? Don't forget to share this post!
LinkedIn
Reddit
Email
Facebook