Internet-Security raven logo internet-security.com

TCP 9997

ProtocolTCP
Port9997
LabelsSplunk port for communication between the forwarders and indexers

Synopsis

  • Splunk Enterprise and Splunk Cloud indexers commonly use TCP port 9997 as the default “receiving” port for data sent by Splunk Universal Forwarders and Heavy Forwarders.
  • Real deployments include Windows/Linux servers running the Splunk Universal Forwarder sending application and system logs to Splunk indexer clusters on 9997, and Splunk Cloud forwarders using 9997 to reach Splunk Cloud ingestion endpoints.
  • Many integrations that route data into Splunk—such as Cribl Stream or Splunk Heavy Forwarders relaying logs from devices like Cisco ASA, Palo Alto Networks firewalls, and F5 BIG-IP—forward over TCP 9997 to Splunk indexers.

Observed activity

Last 30 days Detailed chart

More information