Hi Andreas,

If you would like to have dedicated search heard, following steps might help you

• Install the new search head (same as installing any splunk instance) and configure. Assuming that you are not installing a search head cluster, the following document will help you to get through http://docs.splunk.com/Documentation/Splunk/7.1.1/DistSearch/Overviewofconfiguration

Once you have the "new" search head installed, copy the searches and apps to the new search head

• Do not copy the whole search "app" since it might create unexpected issues later. Instead of that copy the 'local' folder from your search app which should have your searches/macros/dashboards etc.
• Check if you have something in your user's local directory if there are some objects which are not shared in the app. https://docs.splunk.com/Documentation/Splunk/7.1.1/Admin/Apparchitectureandobjectownership should give you an overview about the object permissions.
• You shall copy other 'apps' from the etc/apps folder directly to the new search head to the same location which includes your "Enterprise Security App"
• And as mentioned in Forward search head data, forward the data from SH to the "old" indexer.
• Disable scheduled searches on indexer once you have enabled them in the "new" search head. Make sure you are doing disable/enable on both search head simultaneously/without much time gap to avoid duplicate alerts. This includes searches from "app" as well.
• Regarding enterprise security, you should keep other configuration files on indexer for e.g. indexes,props,transforms as mentioned in http://docs.splunk.com/Documentation/ES/5.1.0/Install/Indexes
• Disable the search head on indexer to prevent users from using it (best practice) Setting » Server settings » General settings and select "No" for 'Run Splunk Web' [ or from cmd line ./splunk disable webserver]

Lets know in case you have further questions.