event shows repeatedly in splunkd.log

Kate_Lawrence-G · ‎10-06-2011

Hoping someone can help me out here:

I have a system with a heavy forwarder installed (v.4.1.6) that shows the following event repeatedly (at last count 150k+)

10-06-2011 17:56:33.846 WARN  TcpOutputProc - The event is missing source information. Event :

I think it has something to do with a bad input the configurations are standardized an look correct.
I have also reinstalled the splunk package with no luck.
Connectivity between the client and the indexer is OK ; I can port 9997 is open and clear.

Thanks!

koshyk · ‎10-07-2016

is your Cluster master 6.3x or 6.4x by any chance? we had same issue from Search heads when indexer discovery is enabled. if yes, this is a bug which is fixed in 6.4.4 ownwards

ncsantucci · ‎05-23-2014

I have observed same when in no particular order

1) hostname -f fails to return an FQDN 2) in /etc/hosts if the line containing the hostname / hostname w/ FQDN is of the format

IP SHORTNAME FQDN

when in point of fact it must be of the form

IP FQDN SHORTNAME

That's why hostname -f didn't work. Wrong ordering

suppose we have an /etc/hosts as follows

127.0.0.1 localhost localhost.localdomain
a.b.c.d   hostname hostname.domain

we can resolve as follows:

grep localhost /etc/hosts > /etc/hosts.correct
grep `hostname` /etc/hosts | awk '{print $1 " " $3 " " $2}' >> /etc/hosts.correct
\cp -p /etc/hosts /etc/hosts.broken
\cp -p /etc/hosts.correct /etc/hosts

Output of /etc/hosts

127.0.0.1 localhost localhost.localdomain
a.b.c.d   hostname.domain hostname

DaveSavage · ‎09-26-2012

Kate - am not sure this may solve it - but have you checked that host's IP address and / or name are set up correctly? Probably a daft question if its a major server out there 😉

event shows repeatedly in splunkd.log

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!