This 3 number is apart from the load balancer, correct ? so i need 4 systems..

Ok… this question and the answers are a bit older, but maybe my post could help other Splunkers.

You need up to two kinds of services: Splunk (with Splunk Web) as an SH Cluster Member and a Load Balancer (optional).
"Optional" because you can also configure it so that User A has to use SHC Node 1, User B has to use SHC Node 2, and User C has to use SHC Node 3, or keep the other nodes as a kind of hot spare.
…If you choose a Load Balancer (which makes sense outside of Dev or Test environments), it does not necessarily need to be an external one for a Search Head Cluster.
A customer used a 3-node SH Cluster in production. On 2 nodes, an additional Apache instance was installed as an LB and configured for high availability (HA) by swapping the Virtual IP for the SH Cluster.

I just finished the Splunk Cluster Administration Course. There they use just 3 virtual machines for a multisite cluster and SH cluster with deployer and manager node.

Kind Regards
SierraX

On dev and your own lab you could do almost anything like you are willing, but in production and also test for other you should follow Splunk’s validated architecture https://docs.splunk.com/Documentation/SVA/current/Architectures/About. Of course you could play how you are implementing LB etc, but I strongly recommend to use external as those are also HA versions.

You need at least 3 search heads, and if your cluster spans more than one site/datacenter the recommendation is that you always use an odd number of members, so one site always has majority.

The load balancer can be nginx, ELB, F5, Netscaler etc (and at a pinch - DNS) - its not a Splunk sever.

Do i need a load balancer ? i could still access search heads directly via url right ?

You can, but you will only ever hit one SH - the one whose url you used.
You can do it with DNS round robin, but this will only give you 'LOAD' balancing (and not massively effective) but it will not give you any HA or FT.

Since this is dev, you could install nginx/haproxy one one (or both) of the SHs and use it to act as a load balancer. Many of the caveats above apply, but it might help
https://sites.google.com/site/mrxpalmeiras/notes/splunk-sh-cluster-ha-proxy

Thanks, can you help on another one.

i am not able to locate a guide/document to setup the search head cluster.
all i am getting is what search head cluster means, but not getting steps to install one..

here you go:
https://docs.splunk.com/Documentation/Splunk/7.2.4/DistSearch/SHCdeploymentoverview

Thank you