Hi @gcusello @VatsalJagani @PickleRick Thanks for the response. I had a feeling that was going to be the answer. So I upgraded the HWF from 7.1 to 8.1.14, but then discovered whilst it could output data it ingested using HTTPOUT that doesn't include data fowarded to it from other universal forwarders (this is documented I discovered after). So in the end I made a sudden decision to change the HWF to a Universal Forwarder receiving data from other Universal Forwarders via old style S2S and send it to our cloud instance via HTTPOUT (and it's working) This does leave me worrying my plan for migration to Splunk Cloud might have an issue: I planning to get rid of all on-prem servers, except for a newly build deployment server to managing the UF which could also act as a 'junior' heavy forwarder for anything unusual which needs to be collected by something on our internal network (I have a feeling DB connect functionality might be asked for soon, or possibly receiving a TCP stream, or even receiving data from old UF on old operating systems which can't handle new UF which support HTTPOUT). Will this plan not work when I need to send data to the Cloud from an Splunk Enterprise install using HTTPOUT? Thanks all! Eddie
... View more