@danielbb 

@danielbb 

Create `inputs.conf` and `outputs.conf` on the Heavy Forwarder (HF) if you want to forward data directly from the HF to the indexers. Alternatively, create `inputs.conf` and `outputs.conf` on the Universal Forwarder (UF) to send data to the HF, which will then forward it to the indexers.

@danielbb Hello Daniel, Please follow the below steps.

1. Install Splunk on all the required instances.

2. Enable the receiving port `9997` on the indexer.

3. If you are forwarding data from a Universal Forwarder (UF) to a Heavy Forwarder (HF) and then to the indexer, ensure the receiving port is open on both the Heavy Forwarder and the indexer.

4. Ensure the following ports are open:

9997: UF to HF and HF to Indexer

8089: Management port between Indexers and Search Heads

8000: Web port for HF and Search Head (optional for indexers in production environments)

5. Add your indexer to the Search Head:

- Navigate to Settings > Distributed Search > Distributed Search Setup

- Enable distributed search, then go to Settings > Distributed Search > Search Peers

- Add the indexer details here and restart the Splunk instance.

6. If required, open port `8000` for the web interface on the Heavy Forwarder and Search Head. While optional for indexers, this port is typically not opened on production indexers.

Note:Before configuring Splunk, perform a telnet test to verify port connectivity:

- From UF to HF:

`telnet <HF_IP_Address> 9997`

- From HF to Indexer:

`telnet <Indexer_IP_Address> 9997`

- From Indexers to Search Heads:

Ensure the management port `8089` is open.