I'm finding the otherwise unimpactful messages :
ERROR TcpOutputProc - Illegal format for config item 'uri'
showing up in splunkd.log. I'm guessing this has something to do with a configuration stanza name problem, but it is a pretty vague message, and I'm hoping somebody could offer advice concerning the origin and purpose of this event. Thanks!
Muebel - can you check the pass4SymmKey in the forwarders outputs.conf and the pass4SymmKey in the [indexer_discovery] stanza in the server.conf of the cluster master?
Also: Support requests that you open a case on this one, so they can get a bug (or bugs) assigned to engineering, or attach the case to existing defect tickets.
In my case (splunkforwarder-6.3.3-f44afce176d0-linux-2.6-x86_64.rpm), this error seems to have been caused by comments within inputs.conf:
[tcpout] defaultGroup=Production disabled=false [tcpout:Production] #server= 172.19.94.77:9997 # Model server= 172.19.94.19:9997 # splunk-delphi.blah.com
Pruning all the comments and restarting splunkd seems to have fixed it. Bad parser?
Just ran into this issue and found that it was caused by a malformed list of servers in outputs.conf