In our case (6.2 Enterprise)
tail -f splunkd.log
suggested there was a lock on mongo.db
rm /opt/splunk/var/mongo/mongod.lock
did the job allowed the httpd process to start.
... View more
For firewalls (Checkpoints): number of accepts/denies for a particular service (port) (i.e. profiling.)
Also for baselining: log voulumes for every type of events.
... View more
Had a similar situation: estream stopped flowing after a network outage that took the SDC-splunk link down...
Ended up manually removing pid files in apps/Sourcefire/tmp ; archiving logs in ../log
However, most likely, it's the bookmark reset (./ssl_test.pl -start=now ) that helped...
... View more