we are using 6.5.2 Enterprise>
On new search heads, the core logs have been moved to a symlink:
ls -l /opt/splunk/var/log/
drwx------. 2 splunk splunk 4096 Apr 17 17:50 introspection
lrwxrwxrwx. 1 splunk splunk 15 Mar 20 11:46 splunk -> /var/log/splunk
This results in reported errors
04-28-2017 07:36:37.346 +0000 ERROR FilesystemChangeWatcher - Error setting up inotify on "/opt/splunk/var/log/splunk": Not a directory
but the logs seems to be indexed normally.
Can I safely assume that these should be WARN, or am I going to have issues down the line (log rotation, upgrades, whatever)?
I'm having the same issue. I think it's an ERROR, because we're not getting logs from the sub-directories below the symlink. We changed the path to the hard path to work around this.