facing similar issue. my setup however is on a local machine. i have splunk installed and the forwarder installed as well, splunk runs well and so does the forwarder. however i get  the folowing error. what should i do. is there a way i can still have the forwarder send the traffic to the splunk server even though they both are running locally. could this be due to a bottle neck on the port 9777 ? The TCP output processor has paused the data flow. Forwarding to host_dest=XX.XX.xx.xx inside output group default-autolb-group from host_src=DESKTOP-USER has been blocked for blocked_seconds=10. This can stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data   later on after refreshing the page i get this error  Now skipping indexing of internal audit events, because the downstream queue is not accepting data. Will keep dropping events until data flow resumes. Review system health: ensure downstream indexing and/or forwarding are operating correctly.     my outputs.conf  [tcpout] defaultGroup = default-autolb-group [tcpout:default-autolb-group] server = xxx.xxx.xx.xxx:9997 [tcpout-server://xxx.xxx.xx.xxx:9997]   my inputs.conf [splunktcp://9997] connection_host = xxx.xxx.xx.xxx [monitor://C:\Snort\log\alert.ids] disabled = false sourcetype = snort_alert_full source = snort index = main   or the fact that the server and the forwarder are on the same machine they compete for resources ? . thanks for any asistance. still a noobie ... View more