Please see the "Send data to HTTP Event Collector on Splunk Cloud Platform" section in the following documentation. https://docs.splunk.com/Documentation/Splunk/9.0.0/Data/UsetheHTTPEventCollector   Are you using the correct URI format with prefix and endpoint? The standard form for the HEC URI in Splunk Cloud Platform is as follows: <protocol>://http-inputs-<host>.splunkcloud.com:<port>/<endpoint>   One thing to point out is that if you are using httpout, there is no need for the Splunk forwarder app (100_splunkcloud) as that is for Splunk-to-Spunk (S2S) forwarding. Splunk UFs can do either tcpout or httpout, but not both.  https://docs.splunk.com/Documentation/Forwarder/latest/Forwarder/Configureforwardingwithoutputs.conf#Available_parameters_for_the_httpout_stanza   1. .conf files should generally be within a custom-created app for the purpose such as: $SPLUNK_HOME/etc/apps/network_inputs/local.conf or $SPLUNK_HOME/etc/apps/base_configs/server.conf, but can be created within $SPLUNK_HOME/etc/system/local without issue to have the highest global precedence if desired.  Here is some documentation on file precedence: https://docs.splunk.com/Documentation/Splunk/9.0.0/Admin/Wheretofindtheconfigurationfiles   2. You are correct, _internal and _audit logs are collected by default in /etc/system/default/inputs.conf and will ingest into SplunkCloud once forwarding is configured.    I also came across this blog post which may be helpful: https://discoveredintelligence.ca/solving-roaming-users-http-out-for-the-splunk-universal-forwarder/     ... View more