Hi,

After upgrading splunk forwarder from version 4.2.1 to 4.3.1, the Splunk indexer does not receive any data. The indexer has the 4.3.1 version installed. I think the issue is related to symlinks. The monitored files have a symlink included: "current_release". I've tested that I'm able to forward data not including symlinks.

Error message:

05-11-2012 11:32:48.836 +0200 ERROR TailingProcessor - matching /progs/cosmos/cos/releases/domain_Cos69/release_69.0.0_dummy/ against ^/progs/cosmos/cos/releases/domain_Cos[^/]*/current_release/servers/CM[^/]*/config/Cos[^/]*/CM[^/]*/logs/[^/]*\.log$

Extract from inputs.conf:

[monitor:///progs/cosmos/cos/releases/domain_Cos*/current_release/CM*/startCM.sh_out]
disabled = false
sourcetype = cos_weblogic_stdout
index = s00386_cos_test_sys
crcSalt=/progs/cosmos/cos/releases/domain_Cos38/current_release/CM1/startCM.sh_out
crcSalt=/progs/cosmos/cos/releases/domain_Cos39/current_release/CM1/startCM.sh_out

[monitor:///progs/cosmos/cos/releases/domain_Cos*/current_release/CM*/logs/jmsSender.log*]
disabled = false
_blacklist = .*\.gz$
index = s00386_cos_test_app
sourcetype=cos_log4j