I have 3 systems, I want one system to work as Forwarder, one as Indexer and one as Search Head.
Setting up forwarder is fine, but to separate indexing and searching.
Means on the indexing system searching should not be available and on search system indexing should not be available.
How can I achieve this type of configuration?
Please let me know if you want more details.
I would suggest some homework first. Have a look at the Distributed Deployment guide, perhaps starting here: http://docs.splunk.com/Documentation/Splunk/6.5.2/Deploy/Implementationoverview
This configuration is a highly common, typical small Splunk configuration. You:
This design is well-covered in the Distributed Deployment guide linked above as well as in the Splunk System Administration class. If you have specific questions about deploying this design, I would suggest a more specific follow-up question (or questions).
hey @dwaddle thanks for the help. Actually I just completed power user certification and about to start with administration. Just one more query, after setting up the environment as you have mentioned if I link more forwarders to indexer I have to not worry about search head ???
correct. Search heads don't particularly care about how many forwarders are connected to the indexer. But, if you are going to add a bunch of forwarders, then you should be looking at adding a deployment server to your design.