Splunk Default Ports: What are they? This article will go through the default ports for Splunk Enterprise, Splunk Cloud, and a few other Splunk products.
What is a Port in Splunk?
In Splunk, ports are communication endpoints. When processes or applications exchange information over a network, they use a port to segment the data.
In this article, we are referring specifically to Transmission Control Protocol (TCP) communications standard when we talk about ports as communication endpoints (unless we specifically refer to an alternative).
What is a Splunk Default Port?
A port is considered a default when the software sets it automatically, when the community uses it as a default, and when admins cannot change the port. While it may seem ridiculous, these are all the possible ways to define a default port, even though they are all very different. For clarity in this guide, we will label them below.
- Default: In our definition, a default is when the port is set without the user specifying the port. For example, Splunk Web (on-prem) runs on port 8000 by default. The user does not choose it, but they can change it if they wish.
- Convention: These ports are used so often that they feel like default ports. The admin sets the port and can select any other port. The “Splunk Forwarding” port of 9997 is a great example. For Splunk Enterprise, it is not a default, yet almost every environment uses it.
- Default – Immutable: This is a caveat for default ports where the user cannot modify the port. We find these mostly in managed services such as Splunk Cloud.
Splunk Enterprise Default Ports
| Port | Type | Description |
| 9997 | Convention | Splunk-to-Splunk (e.g., Forwarding Data) |
| 8000 | Default | Splunk Web (HTTP by Default) |
| 8089 | Default | API Access to Servers |
| 8089 | Default | Non-Forwarding Splunk-to-Splunk Communication |
| 9100 / 8080 | Convention | Index Cluster Replication.
Different sources list different recommendation |
| 9200 / 9777 | Convention | Search Head Cluster Replication
Different sources list different recommendation |
| 8191 | Default | KVStore, Internal and Replication |
| 8088 | Default | HTTP Event Collector |
| 514 | Convention – Not Recommended | Syslog, TCP or UDP.
Recommendation is to send Syslog to a Syslog Collector tool (Syslog-NG, rsyslog, etc) instead of to Splunk |
Splunk Cloud Default Ports
| Port | Type | Description |
| 443 | Default – Immutable | Web Connection. Mandatory SSL |
| 443 | Default – Immutable | HTTP Event Collector |
| 9997 | Default – Immutable | Splunk-to-Splunk (e.g., Forwarding Data) |
| 8089 | Default – Immutable | API Access (the SH, Premium SH, or IDM) |
| 8089 | Default – Immutable | Federated Search |
| 8089 | Default – Immutable | Hybrid Search (While it lasts) |
Splunk Observability Cloud OpenTelemetry Collector Default Ports
| Port | Type | Description |
| 13133 | Default | Health Check Extension |
| 6831, 6832, 14250, 14268 | Default | Jaeger Receiver – Thrify and gRPC |
| 55679 | Default | ZPages extension |
| 4317, 4318 | Default | OLTP receiver – gRPC and http |
| 6060 | Default | HTTP Forwarder – Smart Agent |
| 7276 | Default | SAPM Trace receiver |
| 8888 | Default | Internal Prometheus |
| 8006 | Default | Fluent forward receiver |
| 9080 | Default | Smart Agent receiver – SignalFxForwarder |
| 9411 | Default | Zipkin Receiver |
| 9943 | Default | SignalFx receiver – metrics and events |
Splunk SOAR Default Ports for Clustered Deployments – On-Prem
| Port | Type | Description |
| 22 | Default | SSH – Cluster admin |
| 80 | Default | HTTP (redirected to HTTPS) |
| 443 | Default | HTTPS (unprivileged install is changeable) |
| 443 | Default | REST API port |
| 8443 | Default | HTTPS default when using AMI-based deployment |
| 4369 | Default | RabbitMQ port mapper |
| 5100 – 5120 | Default | Daemon inter-process ports |
| 5671 | Default | RabbitMQ service |
| 8300 | Default | Consol RPC services |
| 8301 | Default | Consol internode communication |
| 8302 | Default | Consol internode communication |
| 8888 | Default | WebSocket server |
| 15672 | Default | RabbitMQ admin UI — Optional |
| 25672 | Default | RabbitMQ internode communications |
Disclaimer: These ports are current as of January 2023. Most of these ports have been static through the years but expect more ports to support new services and offerings.
Primary Sources Used and Cited:
Splunk Enterprise Installation Manual: https://docs.splunk.com/Documentation/Splunk/latest/Installation/Whatsinthismanual
Securing Splunk Enterprise: https://docs.splunk.com/Documentation/Splunk/latest/Security/WhatyoucansecurewithSplunk
Securing Splunk Cloud Platform: https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/WhatyoucansecurewithSplunk
Getting Started with the Splunk Distribution of OpenTelemetry Collector: https://docs.splunk.com/Observability/gdi/opentelemetry/exposed-endpoints.html
Install and Upgrade Splunk SOAR (on-premises): https://docs.splunk.com/Documentation/SOARonprem/latest/Install/Ports
If you found this helpful…
You don’t have to master Splunk by yourself in order to get the most value out of it. Small, day-to-day optimizations of your environment can make all the difference in how you understand and use the data in your Splunk environment to manage all the work on your plate.
Cue Atlas Assessment: Instantly see where your Splunk environment is excelling and opportunities for improvement. From download to results, the whole process takes less than 30 minutes using the button below:
