I'm seeing the following entry every minute in audit.log:
Audit:[timestamp=08-05-2013 18:10:09.376, user=admin, action=restart_splunkd, info=granted ][n/a]
I know for a fact that splunkd is not getting restarted every minute.
Per the following answer, this is a bug where the audit handler produces noise: http://splunk-base.splunk.com/answers/8516/auditlog-restart_splunkd
View solution in original post