Components and their relationship with the network
Splunk Enterprise components require network connectivity to work properly if they have been distributed across multiple machines, and even in cases where the components are on one machine.
Splunk components communicate with each other using TCP and UDP network protocols. A firewall that has not been configured to allow these ports open can block communication between the Splunk instances.
Splunk software uses the following network ports to communicate between its components by default or by convention. You can perform a network port scan on a host to determine if it is listening on a port. Record open port numbers on your deployment diagram.
|Component||Purpose||Communicates on||Listens on|
|All components*||Management / REST API||N/A||TCP/8089|
|Search head / Indexer||Splunk Web access||Any||TCP/8000|
|Search head||App Key Value Store||Any||TCP/8065, TCP/8191|
|Indexer||Receiving data from forwarders||N/A||TCP/9997|
|Indexer cluster peer node / Search head cluster member||Cluster replication||N/A||TCP/9887|
|Indexer/Forwarder||Network input (syslog)||N/A||UDP/514|
The following diagram shows the network ports that Splunk software listens on.
Examine configuration files to determine your topology
Learn about the data in your Splunk deployment
This documentation applies to the following versions of Splunk® Enterprise: 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.2.0, 7.2.1, 7.2.2, 7.2.3