SIEM Agent execution does not poll any logs, and the execution fails with a message like:  

[root@example:/var/log]# grep "ERROR-SIEM" splunk_client.log | head -1
2021-11-16 18:00:01,196-Log_Exporter_Client-ERROR-SIEM Agent in disabled state.
[root@example:/var/log]# grep "ERROR-SIEM" splunk_client.log | tail -1
2021-11-29 16:00:01,448-Log_Exporter_Client-ERROR-SIEM Agent in disabled state.

When the SIEM agent gets too many negative responses for any reason it goes into a wait state, which get extended as the agent gets more error responses.

Errors like HTTP 400's or 500's response can cause this, it can be from an intermediary device (like a web proxy) or from the OCS/CloudSOC

Clear the last execution flag by running the agent manually and use the "-c" switch

Here is a brief deception of the "-c" switch:

c: is a flag that clears the agent status for the last request it issued to the CloudSOC servers. The agent maintains this status in two files named export_log.lock and last_job.status. It automatically removes these files when it is done. However, if the agent exits abnormally, it does not remove these files. This system ensures that the next time the agent starts, it continues from the point where it left off. When you remove these files, the agent issues a fresh request to the CloudSOC servers.

Here is the article on how to Manually Run the SIEM Agent