@danielbb Hello Daniel, Please follow the below steps.
1. Install Splunk on all the required instances.
2. Enable the receiving port `9997` on the indexer.
3. If you are forwarding data from a Universal Forwarder (UF) to a Heavy Forwarder (HF) and then to the indexer, ensure the receiving port is open on both the Heavy Forwarder and the indexer.
4. Ensure the following ports are open:
9997: UF to HF and HF to Indexer
8089: Management port between Indexers and Search Heads
8000: Web port for HF and Search Head (optional for indexers in production environments)
5. Add your indexer to the Search Head:
- Navigate to Settings > Distributed Search > Distributed Search Setup
- Enable distributed search, then go to Settings > Distributed Search > Search Peers
- Add the indexer details here and restart the Splunk instance.
6. If required, open port `8000` for the web interface on the Heavy Forwarder and Search Head. While optional for indexers, this port is typically not opened on production indexers.
Note:Before configuring Splunk, perform a telnet test to verify port connectivity:
- From UF to HF:
`telnet <HF_IP_Address> 9997`
- From HF to Indexer:
`telnet <Indexer_IP_Address> 9997`
- From Indexers to Search Heads:
Ensure the management port `8089` is open.
I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.
Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
