Splunk® Enterprise

Admin Manual

Splunk Enterprise version 7.1 is no longer supported as of October 31, 2020. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Bind Splunk to an IP

You can force Splunk to bind its ports to a specified IP address. By default, Splunk will bind to the IP address 0.0.0.0, meaning all available IP addresses.

Changing Splunk's bind IP only applies to the Splunk daemon (splunkd), which listens on:

  • TCP port 8089 (by default)
  • any port that has been configured as for:
    • SplunkTCP inputs
    • TCP or UDP inputs

To bind the Splunk Web process (splunkweb) to a specific IP, use the server.socket_host setting in web.conf.

Temporarily

To make this a temporary change, set the environment variable SPLUNK_BINDIP=<ipaddress> before starting Splunk.

Permanently

If you want this to be a permanent change in your working environment, modify $SPLUNK_HOME/etc/splunk-launch.conf to include the SPLUNK_BINDIP attribute and <ipaddress> value. For example, to bind Splunk ports to 127.0.0.1 (for local loopback only), splunk-launch.conf should read:

# Modify the following line to suit the location of your Splunk install.
# If unset, Splunk will use the parent of the directory this configuration
# file was found in
#
# SPLUNK_HOME=/opt/splunk
SPLUNK_BINDIP=127.0.0.1

Important: The mgmtHostPort attribute in web.conf has a default value of 127.0.0.1:8089. Therefore, if you change SPLUNK_BINDIP to any value besides 127.0.0.1, you must also change mgmtHostPort to use the same IP address. For example, if you make this change in splunk-launch.conf:

SPLUNK_BINDIP=10.10.10.1

you must also make this change in web.conf (assuming the management port is 8089):

mgmtHostPort=10.10.10.1:8089

See web.conf for more information on the mgmtHostPort attribute.

IPv6 considerations

Starting in version 4.3, the web.conf mgmtHostPort setting has been extended to allow it to take IPv6 addresses if they are enclosed in square brackets. Therefore, if you configure splunkd to only listen on IPv6 (via the setting in server.conf described in "Configure Splunk for IPv6" in this manual), you must change this from 127.0.0.1:8089 to [::1]:8089.

Last modified on 28 July, 2021
Change default values   Configure Splunk for IPv6

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters