Taking into account the info provided above regarding system requirements and architecture, if you want a search head, an indexer, and a forwarder, here are some notes that might help you get up and rolling quickly. I would recommend reading the docs on this as well so you understand it more deeply, but this will be sort of a quick start.
Install Indexers
Change default password on each Indexer (required for Search Head to connect)
Install Search Head
Install Licenses on Search Head (License Master)
Configure each Indexer as a License Slave
Settings > Licensing
Click Change to slave
Click Designate a different Splunk instance as the master license server radio button
Specify the IP/Hostname and Splunk management port (8089 by default)
Save
Establish connections from Search Head to all Search Peers. This is the key step.
Distributed search > Search peers > Add New
Specify the search peer, along with any authentication settings
Save
Install Universal Forwarders and configure to send to all Search Peers
Example Universal Forwarder outputs.conf
[tcpout]
defaultGroup = my_search_peers
[tcpout:my_search_peers]
server=10.10.10.1:9997,10.10.10.2:9997
autoLB = true
Forward internal SH data to the indexer tier.
Create indexes from SH on the indexers (search peers). Internal indexes will already exist, but indexes created by apps can be easily created by installing the apps on the indexers as well.
Set SH up to Forward to all Search Peers.
Example outputs.conf
Turn off indexing on the search head
[indexAndForward]
index = false
[tcpout]
defaultGroup = my_search_peers
forwardedindex.filter.disable = true
indexAndForward = false
[tcpout:my_search_peers]
server=10.10.10.1:9997,10.10.10.2:9997
autoLB = true
... View more
