splunk syslogs Forwarder set up not working and paused data flow

I have set up the Universal Forwarder locally in my machine using this guide

https://splunk.paloaltonetworks.com/universal-forwarder.html

/opt/splunkforwarder/etc/system/local/inputs.conf

[monitor:///var/log/udp514.log]
sourcetype = pan:log
disabled =0

/opt/splunkforwarder/etc/system/local/outputs.conf

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = xxx-xps-15-7590:9997
disabled=false
[tcpout-server://xxx-xps-15-7590:9997]

(the local ip becomes 'xxx-xps-15-7590' same for the web UI)

I have checked that syslog actually send logs event into the file /var/log/udp514.log so I am sure the logs are there. Port 9997 has been allowed on splunk UI (Forwarding and receiving settings).

However when I do a search : source="/var/log/udp514.log" nothing shows up.

Also splunk throws a message:

'The TCP output processor has paused the data flow. Forwarding to host_dest=xxx-xps-15-7590 inside output group default-autolb-group from host_src=xxx-XPS-15-7590 has been blocked for blocked_seconds=10. This can stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data.'

I understand data have been forwarded from host_src but the not indexer for some reason does not ingest them so it get blocked?

Any idea where the problem is?

However when I do a search : source="/var/log/udp514.log" nothing shows up.

This query does not specify an index so will use your default index list. If your role has no default indexes then the query will return nothing. Try specifying the main index.

index=main source="/var/log/udp514.log"

If you still get nothing, increasing the search time window may help.

index=main source="/var/log/udp514.log" earliest=-30d latest=+30d

After you update the inputs.conf stanza to specify an index name (a Best Practice), then update the query to use the same index.