What you are thinking of is a search peer and distributed searching. Box A can be both an indexer and search-head while Box B is just a search head configured to look at Box A as a search peer.
Reference this doc: http://docs.splunk.com/Documentation/Splunk/6.5.0/DistSearch/Configuredistributedsearch
And this one: http://docs.splunk.com/Documentation/Splunk/6.5.0/DistSearch/Forwardsearchheaddata
However, that said, you will not be able to do this with a free license. Distributed search is one feature disabled...
In obscure question, I'm sorry.
I want to separate the splunkweb from splunkd.
And, it does not think that's distributed search.
Such a configuration is possible?
I don't think it's possible. The reality is that splunkweb is a minor process compared to splunkd. It's splunkd that actually handles everything. You'd likely have better luck looking into how you could proxy the web connection to give the appearance of separation.
Yep, this is true. But it will still require distributed search functionality to set up a different splunk server to be the search head. That part won't be possible on the Free license.
No, it is not possible. Nor is it necessary. In any case, the UI just reads from the API. You can disable web, but you cant run just port 8000 on a different server.
What you could do is setup a proxy server like HAPROXY or NGINX, or a load balancer, and have it "handle" the web requests. But still splunk web will be running on the splunk server that's serving the proxy / NLB.
Just to pile on to what the others have been saying here. Splunk is not designed as a "3-tier" application, as you would think of coming from a J2EE world. You cannot run the "web tier" separate from the "application tier" and "database tier". It's just not architected that way.
Under a certain light, with a specific lens, distributed search starts to look sorta like a 2-tier application separating the web and app tiers from the database tier - but this is in my opinion a false analysis. Yes, in distributed search, the data is stored on the indexers, separately from the search heads. But, because Splunk uses Map-Reduce algorithms to coordinate work between the search heads and indexers, it cannot be said that the "business logic" is done on the search head tier and the "data storage" (and only the storage) is done on the indexing tier. The search heads and the indexers work together to run the "business logic" needed to perform a search.
As everyone else has noted, distributed search doesn't work on the Free license anyway, so it is somewhat moot for you personally.
Finally, as of Splunk 6.2, MUCH of the Splunkweb functionality was pulled entirely from Splunkweb and put into Splunkd. In Splunk 6.1, "splunkweb" listened directly on the HTTP 8000 port and processed ALL HTTP requests from browsers, proxying requests as-needed back to Splunkd on 8089. In 6.2, this was flipped around - the HTTP 8000 port is now listened to directly by Splunkd, and the "splunkweb" process has become a limited scope appserver for running what server-side python and such is required to render templates and so forth. See http://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Webconf and the section for "appServerPorts"