Splunk® Enterprise

Inherit a Splunk Enterprise Deployment

Download manual as PDF

Download topic as PDF

Components and their relationship with the network

Splunk Enterprise components require network connectivity to work properly if they have been distributed across multiple machines, and even in cases where the components are on one machine.

Splunk components communicate with each other using TCP and UDP network protocols. A firewall that has not been configured to allow these ports open can block communication between the Splunk instances.

Splunk software uses the following network ports to communicate between its components by default or by convention. You can perform a network port scan on a host to determine if it is listening on a port. Record open port numbers on your deployment diagram.

Component Purpose Communicates on Listens on
All components* Management / REST API N/A TCP/8089
Search head / Indexer Splunk Web access Any TCP/8000
Search head App Key Value Store Any TCP/8065, TCP/8191
Indexer Receiving data from forwarders N/A TCP/9997
Indexer cluster peer node / Search head cluster member Cluster replication N/A TCP/9887
Indexer/Forwarder Network input (syslog) N/A UDP/514

Diagrams

The following diagrams show the network ports that Splunk software listens on.

SplunkNetworkPorts.png SplunkNetworkPortsCluster.png

PREVIOUS
Examine configuration files to determine your topology
  NEXT
Learn about the data in your Splunk deployment

This documentation applies to the following versions of Splunk® Enterprise: 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.3.0, 7.3.1, 7.3.2, 8.0.0


Comments

TCP 9887 appears on neither diagram.

DUThibault
May 31, 2019

Pbdti and Renjith.nair, we've updated the diagram on this page. Thanks for the suggestions!

Andrewb splunk, Splunker
March 11, 2019

It would be nice if this also included the Monitoring Console and Phantom integrations

Junshi
September 5, 2018

Shouldn't we mention 8088 for HEC also here?

Renjith.nair
August 10, 2018

Hi Pbdti,

We're in the process of finishing up a diagram for clustered instances. After it has been completed, we will post it here. Thanks for your patience.

Malmoore, Splunker
January 26, 2018

Agree on the cluster master would be helpful as well - where they connect with 8089 and to which systems would be helpful, even if that required a more in-depth diagram with a full system-by-system sample configuration.

Pbdti
January 25, 2018

Indexer cluster masters use TCP/8089 for their connections.

I'll do some investigating on why we didn't include this here; I think it was to keep things simple. I'll advise. Thanks.

Malmoore, Splunker
November 7, 2017

The diagram is missing a representation of the cluster master.

Mwilson splunk, Splunker
November 2, 2017

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters