We are planning to implement HEC on our Splunk setup, we are looking to see if HEC works on 9997 or should it only use 8088 port.
We already have UFs using 9997 port
As the others mention. You can change the port. However. You mention forwarder. They do not talk HEC. The talk splunk2splunk protocol. So running HEC on 9997 will not work to receive UF data.
You can run it on whatever port you can:
You can run HEC on any port but obviously, it cant be a port in use elsewhere on the same host.