There must be some cookbook out there but I can't seem to find it. I have a 3 VM environment of a forwarder, indexer, and search head. I would like to create another VM for development. Can someone give me a general step by step of how to set up the 4th VM to act as a development environment doing its own indexing and searching of the logs collected by the forwarder?
On your 4th VM just install Splunk and set it up like the indexer so it will listen on tcp:9997 you don't need to set up distributed searching because everything is done on one server. You might have to set the license server if you have that configured.