I had the same issue using 'sudo -u splunk splunk ./splunk add monitor /var/log/' to add a monitor. I ended up adding .splunk directory to my home and running chmod 777 on it.
The add-monitor script added an authToken_servername_8089 to my normal user home directory, but owned by splunk:splunk,
... View more