Which Is The Default Forwarding Port In Splunk

The default forwarding port in Splunk is 9997.

Why Splunk utilizes Port 9997

Splunk utilizes port 9997 as the default forwarding port the reason being it’s a commonly unused port and it’s not assigned to any other service. Utilizing an unused port, decreases the likelihood of conflict with other different services running at the same host.

Changing the Forwarding Port in Splunk

In other cases, it’s important to change the forwarding port in Splunk. To achieve this you need to follow these steps:

  • Log in to Splunk to open its web interface.
  • Go to Settings > Forwarding & Receiving page.
  • Find the “Receiving” section.
  • Change the port number in the “TCP Port” field to the desired value.
  • Save all the changes made.

Considerations when changing Forwarding Port

  • Always ensure that the new port number isn’t in use by a different service.
  • Update every network or firewall security setting to enable traffic to a new port.
  • Update every configuration script or file that reference your old port number to reflect the change.


Splunk utilizes port 9997 as its default forwarding port. The reason is, it’s an unused port that’s not assigned to other services. If required, the forwarding port can be altered, but it’s important to check the potential impact of change including conflicts with firewall configurations and other services.

Join Telegram Join Whatsapp

Leave a Comment