Thanks. But I am using GUI to create UDP receivers on HF. Shall i create inputs.conf under local folder on HF and use that?

The inputs.conf that creates the UDP listener might live under $SPLUNK_HOME/etc/system/local, or $SPLUNK_HOME/etc/apps/search/local. Remember that you can have multiple inputs.conf files, and that they're all merged to set the active configuration on the forwarder. If you want to determine where that inputs.conf file is using the CLI, leverage the BTOOL command ./splunk cmd btool inputs list --debugand look for your UDP stanzas. The debug portion of the tool command ensures that the file paths are shown. Yes, get used to editing the .conf files directly in a text editor, as there are options available that are not exposed in the UI.

Thanks. It works

Good news!

I have made changes as suggested and this is not working as intended. After making changes, i stop receiving logs on Indexer.

Following is output from BTOOL.

/opt/splunk/etc/apps/search/local/inputs.conf [udp://9514]
/opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864
/opt/splunk/etc/apps/search/local/inputs.conf connection_host = ip
/opt/splunk/etc/system/local/inputs.conf host = "Hostname of HF"
/opt/splunk/etc/apps/search/local/inputs.conf index = meraki_logs
/opt/splunk/etc/apps/search/local/inputs.conf sourcetype = meraki

Can you please direct me how to troubleshoot?

Thanks. But i have defined UDP receivers using GUI on Heavy forwarder. Shall i create inputs.conf in local folder and use that?

facing similar issue. my setup however is on a local machine. i have splunk installed and the forwarder installed as well, splunk runs well and so does the forwarder. however i get  the folowing error. what should i do. is there a way i can still have the forwarder send the traffic to the splunk server even though they both are running locally. could this be due to a bottle neck on the port 9777 ?

The TCP output processor has paused the data flow. Forwarding to host_dest=XX.XX.xx.xx inside output group default-autolb-group from host_src=DESKTOP-USER has been blocked for blocked_seconds=10. This can stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data

later on after refreshing the page i get this error 

Now skipping indexing of internal audit events, because the downstream queue is not accepting data. Will keep dropping events until data flow resumes. Review system health: ensure downstream indexing and/or forwarding are operating correctly.

my outputs.conf 

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = xxx.xxx.xx.xxx:9997

[tcpout-server://xxx.xxx.xx.xxx:9997]

my inputs.conf

[splunktcp://9997]
connection_host = xxx.xxx.xx.xxx

[monitor://C:\Snort\log\alert.ids]
disabled = false
sourcetype = snort_alert_full
source = snort
index = main

or the fact that the server and the forwarder are on the same machine they compete for resources ? . thanks for any asistance. still a noobie

Digging up a 6 year old thread might not be the best way to get meaningful response.

I'd advise you to start a new thread with detailed description of what is your problem and what you attempted already to resolve it.