i only want to monitor files in the directory pkorb and not files in subdirectory pkorb/oldlogs
What is the right monitor ?
or any other ?
I'd give this a shot:
[monitor:///var/log/pkorb] recursive = false
[monitor:///var/log/pkorb] blacklist = oldlogs
The latter would recurse, but skip the oldlogs directory. See http://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/inputsconf for specs.
[monitor:///var/log/pkorb/*] will forward any files sitting in the
pkorb directory but will NOT forward files from sub-directories in that
If you wanted to ingest data from a subdirectory, it would look like