I am facing this issue where for some reason audit logs are not being ingested into Splunk. The app lives on a Heavy Forwarder.
Both Sign-In and Audit logs are set and have the same credentials. I triple-checked their input configurations and all seems correct. Sign-in logs are now being ingested as expected, unlike the audit logs.
They are all configured with a 300 second interval and with the default range for old logs. The errors I see are: