Thank you, I'll get my files cleaned up and keep an eye on that in the future. Now I understand the "DO NOT EDIT THIS FILE!" warning. I didn't think it made sense given the context.

The headers of configuration files are not read by Splunk.

The presence of this header in $SPLUNK_HOME/etc/system/local/web.conf is abnormal and seems to indicate that someone has copied $SPLUNK_HOME/etc/system/default/web.confto that location. This is not a good idea, as it prevents changes brought by Splunk upgrades in the default web.conf to take effect.

I would recommend to review the contents of the local version of web.conf and to retain only the things you've changed locally. You should not have a full copy of the default web.conf in the local directory.

Let me check with our qa/support team to see if this is expected behavior in an upgrade scenario. A fresh install would have Version 6.0 at the top of the file.

From the top of the file:

Copyright (C) 2005-2011 Splunk Inc. All Rights Reserved. Version 4.3.1
DO NOT EDIT THIS FILE!
Please make all changes to files in $SPLUNK_HOME/etc/system/local.
To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/system/default
into ../local and edit there.

This file contains possible attributes and values you can use to configure Splunk's web interface.

You may be getting out of my comfort-zone, but I don't think we query the conf files for the version info (at least not now). Can you copy/paste the part of your web.conf that lists that version? (or, is this a filesystem meta-data version, in which case it may not have been updated since the original install)

That took care if it, thank you. Mine was set to False. I can now access my data.

Should the conf files all have the version of the current Splunk install? My web.conf listed 4.3.1 (I've gone through several upgrades on this machine).