Configuring a TCP input

On all of the indexers, you will need to configure a TCP input for receiving the forwarded internal logs from the other Splunk servers; this input can service forwarded data from universal forwarders as well:

1. Settings | Forwarding and receiving | Configure receiving | New Receiving Port (button)
2. Listen on this port: 9997
3. Save

Splunk will create or append an inputs.conf file in /opt/splunk/etc/system/local/ with the following content:

[default]
host = 172.31.28.223

[splunktcp://9997]
connection_host = ip

That completes the cluster master and indexing tier—let's set up the clustered search environment next.