Hi guys, I've had this problem twice (and forgot the solution as well). I thought I would post the answer for next time I have the same 🙂 It is to do with the deployment server, so when you setup the deploy poll functionality: splunk set deploy-poll <host>:<port> Make sure the port is the management port on the server (default is 8089) not the receiver listening port (default 9997). Check this in $SPLUNK_HOME/etc/system/local/deployment-client.conf. The forwarder still goes to 9997 (or whatever the port you have set the receiver to): splunk add forward-server <host>:<port> -auth <username>:<password> This fixes it for me so I hope it helps. Thanks, Gethyn ... View more