I just resolved this issue myself TLDR: Any directories you're reading from, you must have read access to, and must have the execute bit set. I highly recommend keeping selinux doing its job and executing the following for your hosts: sudo setfacl -R -m u:splunk:rX /path/to/logs The -R switch will apply permissions recursively The -m is to modify the existing ACL The u:splunk specifies the splunk user The rX grants read access to everything, and sets the execute bit only on files with an existing execute bit flipped. Cheers ... View more

I just resolved this issue myself TLDR: Any directories you're reading from, you must have read access to, and must have the execute bit set. I highly recommend keeping selinux doing its job and executing the following for your hosts: sudo setfacl -R -m u:splunk:rX /path/to/logs The -R switch will apply permissions recursively The -m is to modify the existing ACL The u:splunk specifies the splunk user The rX grants read access to everything, and sets the execute bit only on files with an existing execute bit flipped. Cheers ... View more