Yes there are large number of files as part of this directory.

Interesting. A fascinating "article" about the dangers of large number of files to monitor at is there a limit on the number of files splunk can monitor?

Monitor too many with a wildcard approach and Splunk will tack the CPU at 100%. In this case he just wants main.log so it shouldn't be too bad unless there are many thousands+

No dont have count of main.log's counting to 1000's not does CPU take a spike on the node where the forwarder is installed.

No this failed to help work as well.

Then you have a permissions issue or typo on your config.

Check the internal index for error messages:

index=_internal host=yourForwarder main.log

Dont see any errors reported that can help point out to the root cause for this.

Do you see any messages with the search above? Can you paste them here?

My bad, I do see an error reported as below.

ERROR TailingProcessor - File will not be read, is too small to match seekptr checksum (file=/appl/proddata/tmp/U/LOG_FILES/elixir_logs/FXModel/20170804_143057_28122/TWDCNY/2017-07-26_1/main.log). Last time we saw this initcrc, filename was different. You may wish to use a CRC salt on this source. Consult the documentation or file a support case online at http://www.splunk.com/page/submit_issue for more info.

But just to add I did try adding CRC salt as well which did not seem to have fixed the issue.

You added

crcSalt=<SOURCE>

In inputs.conf?

Yes correct