I'm running splunk 4.3. Here are the searcher and indexer configs I came up with plus a query to verify everything is working:
searcher inputs.conf:
[monitor:///opt/splunk/var/log/splunk]
_TCP_ROUTING = indexers
index = _internal
searcher outputs.conf:
[tcpout]
forwardedindex.filter.disable = true
defaultGroup = indexers
disabled=false
[tcpout:indexers]
server = x.x.x.x:9997
indexer inputs.conf:
[splunktcp://9997]
[monitor:///opt/splunk/var/log/splunk]
_TCP_ROUTING = *
index=_internal
query to verify (should include all active searchers and indexers):
earliest=-1m index=_internal NOT sourcetype= "searches" NOT sourcetype= "splunk_intentions"|dedup host|table host, time
... View more