Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk forwarder on linux: parameter format error after adding monitor

thambisetty
SplunkTrust
SplunkTrust
‎06-25-2014 02:48 AM

Hi,
I have installed splunk forwarder on linux which is having symantec Brightmail Gateway.
and i tried to forward the data from that machine to splunk indexer that forwarder sending data only one file under the folder.
The path which i have given while adding the monitor:
'/var/log/mail/symantec/inbound'
under the inbound i want to read everything which has extension of type '.gz'
i am getting error that is "parameter should be in this format '-parameter value' "
while try to give the path like '/var/log/mail/symantec/inbound/*.gz'
can anyone tell me why its happening like that
please.......

————————————
If this helps, give a like below.
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎06-25-2014 03:04 AM

If you're adding things from the CLI, you need to make sure that your shell is not expanding wildcards for you. If you do

splunk add monitor /var/log/mail/symantec/inbound/*.gz

Your shell will expand this into all files that match that. In order to prevent that from happening you need to escape it, for instance by putting it in single quotes.

splunk add monitor '/var/log/mail/symantec/inbound/*.gz'

View solution in original post

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎06-25-2014 03:04 AM

If you're adding things from the CLI, you need to make sure that your shell is not expanding wildcards for you. If you do

splunk add monitor /var/log/mail/symantec/inbound/*.gz

Your shell will expand this into all files that match that. In order to prevent that from happening you need to escape it, for instance by putting it in single quotes.

splunk add monitor '/var/log/mail/symantec/inbound/*.gz'
Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎06-25-2014 10:24 PM

now i want to remove that which i added to monitor earlier.
May i konw how to do that.again i will add to monitor as u said

————————————
If this helps, give a like below.
0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎10-18-2015 12:42 PM

Like the add command there is a remove command to remove monitor:

splunk remove monitor '/var/log/mail/symantec/inbound/*.gz'

cheers, MuS

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...