After some days the Splunk server stop receiving input. The forwarders are not changed, but I did some changes on splunk server (can't remember what I did). Also know that the firewall does not cause of the problem. On server Splunk server we have also configured Splunk Uniiversal forwarder. So same server include both Splunk Enterprise + Splunk Universal forwarder.
Not sure, but I think it's some trouble with indexer since they cannot receive inputs. Have also verified that environment variables is ok. Also changed file permission on all filres/directories below Splunk_HOME. So it should be fine
On Splunk Universal clients (on clients), splunkd.log says that TcpOutProc is connected to Splunk Server. It also says that the Splunk server LISTEN to *:9997.