One thing I have noticed is that if there is an error anywhere in the outputs.conf file, Splunk will not hash the password. Also, contrary to what some have said, you must have the password in plaintext, and let the splunk instance hash the password on startup. Even if you are copying the SSL certs from another forwarder and try to just copy the outputs.conf file, for us at least we needed to re-enter the password again in plaintext.
Might not help you, but I'd be sure to look in the splunkd logs and other logs for errors centered around the outputs.conf file and SSL connection. Banged my head for a day looking for the cause of this only to find that due to a syntax error in my outputs.conf file the parsing failed and the password was never even read.
We are using 6.2.1 btw.
... View more