Thank you! Right now I can't change the way the environment is set up I need to document the current set up in order to move forward with changing the environment. You may be right the server may not be a master node. I know it is not clustered and I am used to a clustered environment which mine has been for years. I guess I am having a problem understanding how the logs move through one environment. The UF send to the Indexers and they send it to the SH in the same IP? I guess different ports?

Did this answer your question? If so, can you accept it?

Yes thank you! I have accepted! I am still waiting to get access to the environment to confirm the set up.

The forwarders will send the data to the indexer(s) on port 9997 by default. The data will then live on the indexers and when a user/scheduled search kicks off on the searchhead, it will then query the indexers via the management port 8089.

The management port is used often throughout Splunk and is also the port the deployment server uses. When you start clustering, the indexers will use port 8080 to talk to each other and when accessing the search head, you will use port 8000.

To sum this up, you are not sending data to the search head. The forwarders send it to the indexers and the search heads will then query the indexers. Each server will have its own IP address, so if you had a single search head and a single indexer, you would logon to the Splunk GUI by going to the searchhead_IP:8000 which would then query the indexer for data.