Splunk® Enterprise

Admin Manual

Splunk Enterprise version 8.2 is no longer supported as of September 30, 2023. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Bind Splunk to an IP

By default, the Splunk Enterprise services are bound to IP address 0.0.0.0, meaning all available IP addresses on the host machine. You can force Splunk Enterprise to bind all service ports to a specified IP address.

Changing the IP address applies to the Splunk daemon (splunkd) services:

  • TCP port 8089 (by default)
  • Splunk Web port 8000 (by default)
  • Any port that has been configured as for:
    • SplunkTCP inputs
    • TCP or UDP inputs
    • HEC inputs
  • App Server port 8065 (by default)
  • KV Store port 8191 (by default)

To bind the Splunk Web process (splunkweb) to a specific IP, use the server.socket_host setting in web.conf.

Temporarily change the IP address

To make this a temporary change, use the environment variable SPLUNK_BINDIP=<ipaddress> to set an IP address before starting Splunk Enterprise services.

Permanently change the IP address

To permanently change the default IP address for a host machine, update the $SPLUNK_HOME/etc/splunk-launch.conf to include the SPLUNK_BINDIP attribute and <ipaddress> value.

For example, to bind Splunk ports to 127.0.0.1 (for local loopback only), splunk-launch.conf should read: 

# Modify the following line to suit the location of your Splunk install.
# If unset, Splunk will use the parent of the directory this configuration
# file was found in
#
# SPLUNK_HOME=/opt/splunk
SPLUNK_BINDIP=127.0.0.1

Important: The mgmtHostPort attribute in web.conf has a default value of 0.0.0.0:8089. If you use SPLUNK_BINDIP to enforce a different IP address, you must also change mgmtHostPort to use the same IP address.

For example, if you change the splunk-launch.conf: 

SPLUNK_BINDIP=10.10.10.1

you must also change the web.conf to IP address to match: 

mgmtHostPort=10.10.10.1:8089

See web.conf for more information on the mgmtHostPort attribute.

IPv6 considerations

The mgmtHostPort setting in web.conf accepts IPv6 addresses if they are enclosed in square brackets. If you configure splunkd to only listen on IPv6, you must update the mgmtHostPort to use [::1]:8089 instead of 127.0.0.1:8089. See "Configure Splunk for IPv6".

Last modified on 08 August, 2023
Change default values   Configure Splunk Enterprise for IPv6

This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters