Not really. I believe I disabled the monitor for /etc just to make it stop.

That is how I already identified the problem.

config_file is a sourcetype that you can find in your license usage report?
because in Splunk_TA_nix there isn't this sourcetype so I don't know where you call it.
Bye.
Giuseppe

I believe it is happening here:

[~/etc/apps/Splunk_TA_nix/default] $ grep "config_file" *
grep: data: Is a directory
eventgen.conf:sourcetype = config_file
props.conf:sourcetype = config_file
props.conf:[config_file]
props.conf:TRANSFORMS-fix_source_for_config_file = fix_source_for_config_file
transforms.conf:[fix_source_for_config_file]
[~/etc/apps/Splunk_TA_nix/default] $

LOL, not the best screenshot was it? I loaded a more consistent one.

This has been going on for weeks and there is never anything put in os.

Now, could you verify if you've access to index=os, just to be sure? (check in Role/user setting or run the rest command | rest /services/authentication/users/<<yourUserName>> )

I do have access.

Strange. So I'm guessing you've tried to run your search with a very wide time range as the data could be historical? Also, are you running this search from appropriate SH which has all the indexers as peers? can you see data for other sourcetypes in index=os?
Also, in your license usage search, the highlighted event has h="", do you get other records with a non-empty h value?

Searching for all time returns nothing for config_file, but I can see other sourcetypes.

Yes, there are valid h values for about 96% of the results in that search.