A host that indexes its internal logs locally should be configured as an indexer. An indexer is a Splunk Enterprise instance that indexes data, transforming raw data into events and placing the results into an index. It also searches the indexed data in response to search requests. Indexers can index their own internal logs, such as _internal, _audit, _introspection, and _metrics, which are useful for monitoring and troubleshooting Splunk Enterprise. Indexers can also forward data to other indexers or third-party systems. References:

https://docs.splunk.com/Documentation/Splunk/9.1.1/Capacity/IntroductiontoSplunkarchitecture 1

https://docs.splunk.com/Documentation/Splunk/9.1.1/Indexer/Whatisanindexer 2

https://docs.splunk.com/Documentation/Splunk/9.1.1/Troubleshooting/Abouttheinternalindexes 3