Firstly, thanks for the edit, dwaddle. I see what you did with the indent and I will do that from now on.
Gareth, it's 4.1.6 on Linux. Your question about web_service log was right on target. At first I thought not, since these are indexers and don't get much http traffic, although splunkweb is enabled for convenience. Then I looked at the logs and saw tons of web vulnerability assessment traffic. Understanding that those session files correspond to splunkweb traffic was the key. Thanks!