ERROR HTTPClient - Should have gotten at least 3 tokens in status line, while getting response code. Only got 0. - what does it mean?

From my own experience I would rather think it means something else, or that there is a bug, or that something is slightly misconfigured.

I keep getting these messages from ALL BUT ONE of the hosts in my setup .

1 Indexer v4.2.1
1 Search Head v4.2.1
1 Heavy Forwarder v4.2.2 <-- only the 4.2.2 host is NOT generating these messages.
1 Universal Forwarder v4.2.0
50-odd Universal Forwarders v4.2.1

I do not think it is network related, since the Search Head and Indexer are on the same VLAN and neither of them are under any considerable load (~5GB of daily log).

I do not believe that it has anything to do with HOW logs are transported to the indexer. Below is the outputs.conf that is delivered to all forwarders.

[tcpout]
defaultGroup = splunkssl
disabled = false
compressed=true

[tcpout:splunkssl]
server = splunkindex.company.com:9997

[tcpout-server://splunkindex.company.com:9997]
sslCertPath = $SPLUNK_HOME/etc/apps/company-forwarding/local/company-splunk-forwarder.pem
sslCommonNameToCheck = company-splunk-indexer.company.com
sslPassword = XXXXXXXXX
sslRootCAPath = $SPLUNK_HOME/etc/apps/company-forwarding/local/company-ca.pem
sslVerifyServerCert = true

I would rather guess that this is along the lines of the bogus(?) error message:

Error encountered for connection from src=10.XXX.XXX.XXX:65278. Success

That error also came in from all forwarders until we upgraded from 4.2.0 to 4.2.1. So currently there is one UF (4.2.0) still sending these latter error messages, but the logs keep coming in anyway.

If anyone knows a definite answer it'd be good to know, but I'm not too worried as everything seems to be working fine.

Kristian

I see these errors from a Windows Server 2003 machine and my log machine is way under utilized?