Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Monitoring Splunk
- :
- Re: Splunk Add Monitor Command Error: Why is "Para...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Team Splunk,
I am trying to add a monitor to a log file. When I do this as either the 'splunk' user or the 'root' user I receive the following error: "Parameter name: Path is not readable." I noticed that as the 'splunk' user I cannot read the file with the vi program. However I can read the file as the root user. So why would I receive this error if the 'root' user can read the file and I am running the ./splunk program as 'root'. I also noticed that the log files I am trying to forward are on a network file system that is mounted on the operating system (OS). I am not sure if this mount makes a difference or not.
Also, I noticed I can add the entire directory but not the specific file I want to forward to the indexer. Also, when I monitor the entire directory the indexer only monitors some other out of date log file and not the log file I am after. 0_o I noticed that the files in this directory are executable except for the specific log file I am trying to monitor.
Regards,
rogue_carrot
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found out the problem. The splunk user did not have read access to the file. I gave the file read/write access with the linux setfacl program. Then my remote indexer picked up the forwarded log file events. I followed this simple tutorial: https://www.webhostinghero.com/how-to-give-file-permissions-to-a-specific-user-in-linux/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found out the problem. The splunk user did not have read access to the file. I gave the file read/write access with the linux setfacl program. Then my remote indexer picked up the forwarded log file events. I followed this simple tutorial: https://www.webhostinghero.com/how-to-give-file-permissions-to-a-specific-user-in-linux/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As Best Practice you should configure your systems to run the software as a non-root user
Try to change the ownership of the $SPLUNK_HOME directory to the user that you want Splunk software to run as.
https://docs.splunk.com/Documentation/Splunk/7.1.1/Installation/RunSplunkasadifferentornon-rootuser
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank-you for the reply. 🙂 I stopped the running splunk process that was executing as root and restarted the splunk process as the splunk user.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found out the problem. The splunk user did not have read access to the file. I gave the file read/write access with the linux setfacl program. Then my remote indexer picked up the forwarded log file events. I followed this simple tutorial: https://www.webhostinghero.com/how-to-give-file-permissions-to-a-specific-user-in-linux/
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
