Skip to content
Article

Splunk Default Ports (Comprehensive List)

 

Written by: The Kinney Group Team | Last Updated:

 
January 27, 2023
 
 
 

Originally Published:

 
January 20, 2023

Splunk Default Ports: What are they? This article will go through the default ports for Splunk Enterprise, Splunk Cloud, and a few other Splunk products.

What is a Port in Splunk?

In Splunk, ports are communication endpoints. When processes or applications exchange information over a network, they use a port to segment the data.

In this article, we are referring specifically to Transmission Control Protocol (TCP) communications standard when we talk about ports as communication endpoints (unless we specifically refer to an alternative). 

New call-to-action

What is a Splunk Default Port?  

A port is considered a default when the software sets it automatically, when the community uses it as a default, and when admins cannot change the port. While it may seem ridiculous, these are all the possible ways to define a default port, even though they are all very different. For clarity in this guide, we will label them below. 

  • Default: In our definition, a default is when the port is set without the user specifying the port. For example, Splunk Web (on-prem) runs on port 8000 by default. The user does not choose it, but they can change it if they wish. 
  • Convention: These ports are used so often that they feel like default ports. The admin sets the port and can select any other port. The “Splunk Forwarding” port of 9997 is a great example. For Splunk Enterprise, it is not a default, yet almost every environment uses it. 
  • Default – Immutable: This is a caveat for default ports where the user cannot modify the port. We find these mostly in managed services such as Splunk Cloud.

Splunk Enterprise Default Ports

 

Port  Type  Description 
9997  Convention  Splunk-to-Splunk (e.g., Forwarding Data) 
8000  Default  Splunk Web (HTTP by Default) 
8089  Default  API Access to Servers 
8089  Default  Non-Forwarding Splunk-to-Splunk Communication 
9100 / 8080  Convention  Index Cluster Replication. 

Different sources list different recommendation 

9200 / 9777  Convention  Search Head Cluster Replication 

Different sources list different recommendation 

8191  Default   KVStore, Internal and Replication 
8088  Default  HTTP Event Collector 
514  Convention – Not Recommended  Syslog, TCP or UDP. 

Recommendation is to send Syslog to a Syslog Collector tool (Syslog-NG, rsyslog, etc) instead of to Splunk 

 

Splunk Cloud Default Ports 

 

Port  Type  Description 
443  Default – Immutable  Web Connection. Mandatory SSL 
443  Default – Immutable  HTTP Event Collector 
9997  Default – Immutable  Splunk-to-Splunk (e.g., Forwarding Data) 
8089  Default – Immutable  API Access (the SH, Premium SH, or IDM) 
8089  Default – Immutable  Federated Search 
8089  Default – Immutable  Hybrid Search (While it lasts) 

Splunk Observability Cloud OpenTelemetry Collector Default Ports

 

Port  Type  Description 
13133  Default  Health Check Extension 
6831, 6832, 14250, 14268  Default  Jaeger Receiver – Thrify and gRPC 
55679  Default  ZPages extension 
4317, 4318  Default  OLTP receiver – gRPC and http 
6060  Default  HTTP Forwarder – Smart Agent 
7276  Default  SAPM Trace receiver 
8888  Default  Internal Prometheus 
8006  Default  Fluent forward receiver 
9080  Default  Smart Agent receiver – SignalFxForwarder 
9411  Default  Zipkin Receiver 
9943  Default  SignalFx receiver – metrics and events 

Splunk SOAR Default Ports for Clustered Deployments – On-Prem 

 

Port  Type  Description 
22  Default  SSH – Cluster admin 
80  Default  HTTP (redirected to HTTPS) 
443  Default   HTTPS (unprivileged install is changeable) 
443  Default  REST API port 
8443  Default  HTTPS default when using AMI-based deployment 
4369  Default  RabbitMQ port mapper 
5100 – 5120  Default  Daemon inter-process ports 
5671  Default  RabbitMQ service 
8300  Default  Consol RPC services 
8301  Default  Consol internode communication 
8302  Default  Consol internode communication 
8888  Default  WebSocket server 
15672  Default  RabbitMQ admin UI — Optional 
25672  Default  RabbitMQ internode communications 

Disclaimer: These ports are current as of January 2023. Most of these ports have been static through the years but expect more ports to support new services and offerings. 

 

Primary Sources Used and Cited: 

Splunk Enterprise Installation Manual: https://docs.splunk.com/Documentation/Splunk/latest/Installation/Whatsinthismanual 

Securing Splunk Enterprise: https://docs.splunk.com/Documentation/Splunk/latest/Security/WhatyoucansecurewithSplunk 

Securing Splunk Cloud Platform: https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/WhatyoucansecurewithSplunk 

Getting Started with the Splunk Distribution of OpenTelemetry Collector: https://docs.splunk.com/Observability/gdi/opentelemetry/exposed-endpoints.html 

Install and Upgrade Splunk SOAR (on-premises): https://docs.splunk.com/Documentation/SOARonprem/latest/Install/Ports

If you found this helpful… 

You don’t have to master Splunk by yourself in order to get the most value out of it. Small, day-to-day optimizations of your environment can make all the difference in how you understand and use the data in your Splunk environment to manage all the work on your plate.

Cue Atlas Assessment: Instantly see where your Splunk environment is excelling and opportunities for improvement. From download to results, the whole process takes less than 30 minutes using the button below:

New call-to-action

Helpful? Don't forget to share this post!
Share on linkedin
LinkedIn
Share on reddit
Reddit
Share on email
Email
Share on twitter
Twitter
Share on facebook
Facebook